Site Blocked - URL:Phishing

[jedrzejevski]

Hello,

Apparently, my site was blocked as well. If someone has installed Avast on their notebooks, then error: URL:Phishing pops up. It happens for example on: http://lakp.pl/webpage.php?id=387 or http://lakp.pl/zawodnik.php?playerId=7736.

It is a page built by myself. Can someone help me with detecting why it was blocked? I have run scan: https://retire.insecurity.today/#!/scan/da0c48038c5188f6fa437286968531e736bb98ee851a10362e4148fd295bb489 and it seems that there is 1 vulnerable library (jquery 1.11.3), can it be the cause?

Thanks,
Adrian

[Asyn]

-> https://sitecheck.sucuri.net/results/lakp.pl/webpage.php?q=id%3D387
-> https://www.virustotal.com/gui/url/b646788e28b594aed22a569eb97a166130f3d6f7860b90d71ae0ce3b16530cbe/detection
-> https://zulu.zscaler.com/submission/cafd7b5a-66c4-4fa4-8e6d-2fe89be05e83

[polonus]

Witam Panie Adrianie,

I scanned one of the links you gave for recommendations (hints towards improvement e.g. security improvement),
and it came up with some 200 issues: https://webhint.io/scanner/3d28d568-67c6-4138-9d97-805c21231595
See particularly: https://webhint.io/scanner/3d28d568-67c6-4138-9d97-805c21231595#category-security

Certainly that http site has some backlying php problems at the webserver and as you saw it is not only avast to complain about that.
But it is not that the blocking is about.

See:

<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylXXXXXXXXXXXXXXXXXXXXvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_vgqARs6XTetJ9eDkEAigNmOH0gI5oDHVDcJDA1yqXazCcWPMB7YBiWBbQDicgeQD0aSb9mBSmBlUDES6V4hqeQ==><head><meta charset="utf-8"><title>lak.pl&nbsp;-&nbspThis website is for sale!&nbsp;-&nbspLak Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="This website is for sale! -lak.pl is your first and best source for all of the information you’re looking for. From general topics to more of what you would expect to find here, -lak.pl has it all. We hope you find what you are searching for!"><link

XXXXXX obfuscated by me for obvious reasons  (pol).

"Your site" has been sedo-parked and is earning adclicks for ABP "from the grave" (as it is for sale).
Now a rogue can't just copy someone else's "data-adblockkey" for their own site: -http://img.sedoparking.com","adblockkey":" data-

Spammy looking links: Any links with funky anchor text? Yes there are.

<a href="-http://lakp.pl/wyniki.php?roundId=642">Moore - Git Team 4-3 (3-0)<br> Adampol - Poker 6-1 (2-1)<br> Nexbet - Krupniki 4-3 (0-2)<br> Dywany - APP Energy 5-7 (2-2)<br> Bosko - Tifosi 5-3 (2-1)<br> Czarni - Politechnika 4-2 (1-1)</a>
<a style="text-decoration: none !important; color: #302c7f;" href="-klub.php?teamId=46">Poker</a> To wszystko (pol).

pozdrawiam,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

[jedrzejevski]

Hi Polonus,

Thanks for your help.
However, I can't find the part of the site that you mentioned, the :

<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylXXXXXXXXXXXXXXXXXXXXvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_vgqARs6XTetJ9eDkEAigNmOH0gI5oDHVDcJDA1yqXazCcWPMB7YBiWBbQDicgeQD0aSb9mBSmBlUDES6V4hqeQ==><head><meta charset="utf-8"><title>lak.pl&nbsp;-&nbspThis website is for sale!&nbsp;-&nbspLak Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="This website is for sale! -lak.pl is your first and best source for all of the information you’re looking for. From general topics to more of what you would expect to find here, -lak.pl has it all. We hope you find what you are searching for!"><link

My site is lakp.pl, not the lak.pl that this quote points to.
Regarding ? in the links, I know it's not a best way still to use URLs, however it is still used by many websites over the world, do you think it can be a source of the issues?
Thanks,

[polonus]

Do not see the website LAKP being blocked by avast now.
Also see: https://urlscan.io/result/16c1e500-62f4-4325-995f-986b639b986e/#links
Detections normally are based on such indicators like: https://urlscan.io/result/16c1e500-62f4-4325-995f-986b639b986e/#indicators

polonus

[aemn.hnaoe]

Hi,
URL block was disabled.

Lukas

Hello, I'm having problems with my website (www.faceyok.com and www.damascusgrill.com ), whenever I try to access it from any computer that has Avast installed it does not allow access and the attachment popup appears.

[DavidR]

<snip quote>
Hello, I'm having problems with my website (wXw.faceyok.com and wXw.damascusgrill.com ), whenever I try to access it from any computer that has Avast installed it does not allow access and the attachment popup appears.

Please 'modify' your post change the URL from www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

See https://sitecheck.sucuri.net/results/damascusgrill.com this is blacklisted by others and is considered Critical Security Risk
https://sitecheck.sucuri.net/results/faceyok.com and is a Medium Security Risk

Since both are on the same IP address both are likely to be tarred with the same brush.

[polonus]

DavidR is right, but according to Virus Total scan-results swopped detections.

It is not only avast's that detects here, also Fortinet's, see:
https://www.virustotal.com/gui/url/f7aeeef1224ff2077c2f219836fbc072a4f34a70e913bce1681aae353dc172a4/detection

And there in this case it is the other way around as VT reports the other website in the clear
https://www.virustotal.com/gui/domain/www.damascusgrill.com/relations
as McAfee blacklists can be dated. Anyway software on that site is outdated as well, see also
the security implications of this scan: https://webhint.io/scanner/34a3bd1a-ee16-481e-809d-b54668db60e6#category-security

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

[seeraig]

My site scentbox.com is also getting blocked for URL: phishing. The site has been online for over 4 years with no issues. I've also sent a request to avast through their false positive form, but haven't heard back yet. Customers cannot access the site and it's the busiest period of the year, really not fair to block legitimate sites like this. I've scanned it with the online tools, comes up clean. Can someone help me figure out how to get Avast to unblock the site or what's wrong?

[DavidR]

@ seeraig
See https://sitecheck.sucuri.net/results/scentbox.com your site is considered a medium security risk.

Also see https://webhint.io/scanner/af9cf4ee-5922-4761-8468-48163fcfdad8 there are many security points that should be considered.

Now this may not be why avast is alerting on it, but the points mentioned in the above links could leave your site vulnerable to hacking, etc.

[Pondus]

Can someone help me figure out how to get Avast to unblock the site or what's wrong?

Report a suspected false positive (select file or website)


Click this link >>  https://www.avast.com/false-positive-file-form.php

[polonus]

Probably this link could be flagged:  -https://cdn.userway.org/widget.js
Besides we discovered an alert that your connection is not secure (see *)

Above links opens up to  -https://cdn.userway.org/widget.js
->  as a javascript error also a file not found:
-https://userway.org/promo/fonts/metropolis/metropolis.css?v=1579685658
= at -cdn.userway.org
IP Address   -143.204.192.15
Hostname(s)   
-server-143-204-192-15.lhr3.r.cloudfront.net
-> https://sitereport.netcraft.com/?url=server-143-204-192-15.lhr3.r.cloudfront.net
Country   United States
Organization   Amazon CloudFront

Android malcode detections on IP relations - https://www.virustotal.com/gui/ip-address/143.204.192.15/relations

But I see no cloaking, no spammy looking links, all same status codes for the website an sich.
But as our DavidR reminds us the website has various security issues,
resulting in a minus 7 score here *; see scan:
https://webcookies.org/cookies/scentbox.com/31197601?435913
Given as excessive server info proliferation, Transport Layer Security (TLS) is not enabled (as reported by SiteCheck also); X-Frame-Options header is missing; X-XSS-Protection header is missing and X-Content-Type-Options header is missing.

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

[seeraig]

@ seeraig
See https://sitecheck.sucuri.net/results/scentbox.com your site is considered a medium security risk.

Also see https://webhint.io/scanner/af9cf4ee-5922-4761-8468-48163fcfdad8 there are many security points that should be considered.

Now this may not be why avast is alerting on it, but the points mentioned in the above links could leave your site vulnerable to hacking, etc.

This doesn't have to do with phishing though, and 90% of almost every website comes up as medium risk, but they're not blocked as phishing.

[seeraig]

Probably this link could be flagged:  -https://cdn.userway.org/widget.js
Besides we discovered an alert that your connection is not secure (see *)

Above links opens up to  -https://cdn.userway.org/widget.js
->  as a javascript error also a file not found:
-https://userway.org/promo/fonts/metropolis/metropolis.css?v=1579685658
= at -cdn.userway.org
IP Address   -143.204.192.15
Hostname(s)   
-server-143-204-192-15.lhr3.r.cloudfront.net
-> https://sitereport.netcraft.com/?url=server-143-204-192-15.lhr3.r.cloudfront.net
Country   United States
Organization   Amazon CloudFront

Android malcode detections on IP relations - https://www.virustotal.com/gui/ip-address/143.204.192.15/relations

But I see no cloaking, no spammy looking links, all same status codes for the website an sich.
But as our DavidR reminds us the website has various security issues,
resulting in a minus 7 score here *; see scan:
https://webcookies.org/cookies/scentbox.com/31197601?435913
Given as excessive server info proliferation, Transport Layer Security (TLS) is not enabled (as reported by SiteCheck also); X-Frame-Options header is missing; X-XSS-Protection header is missing and X-Content-Type-Options header is missing.

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

I removed the userway js, still getting blocked though. i've had that 3rd party script for over 6 months though without issue.

[seeraig]

@ seeraig
See https://sitecheck.sucuri.net/results/scentbox.com your site is considered a medium security risk.

Also see https://webhint.io/scanner/af9cf4ee-5922-4761-8468-48163fcfdad8 there are many security points that should be considered.

Now this may not be why avast is alerting on it, but the points mentioned in the above links could leave your site vulnerable to hacking, etc.

these are separate issues, I need to know why Avast is blocking as phishing