Author Topic: Ebay Login - False Positive???  (Read 7562 times)

0 Members and 1 Guest are viewing this topic.

Offline The Sniggler

  • Full Member
  • ***
  • Posts: 120
Re: Ebay Login - False Positive???
« Reply #15 on: June 07, 2018, 12:24:59 AM »
FWIW, Avast notification says:

Moved rrbundle.flat.min[1].js to Viruschest infected with JS:redirector-BK [TRj]

Offline jefferson sant

  • Starting Graphoman
  • *
  • Posts: 6800
  • volunteer
Re: Ebay Login - False Positive???
« Reply #16 on: June 07, 2018, 03:22:36 AM »
FWIW, Avast notification says:

Moved rrbundle.flat.min[1].js to Viruschest infected with JS:redirector-BK [TRj]

Hello.

I have already found the file and submitted it here

rrbundle.flat.min[1].js

https://www.virustotal.com/#/file/580bcd36c4ffc5f66642b7823c5d547c71f1b4b48aab27dc8ee0e3ceb0b527be/detection

Avast detects as JS:Redirector-BKG [Trj]

Screenshots detection of the attached

Reported Vírus Lab ~

Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1126
Re: Ebay Login - False Positive???
« Reply #17 on: June 07, 2018, 07:26:40 AM »
JS:Redirector-BKG [Trj] was already disabled yesterday, but I am strongly against using obfuscated scripts. Minified scripts are ok, but this specifically was bloated to avoid detection of redirection.

Offline Mike706

  • Newbie
  • *
  • Posts: 1
Re: Ebay Login - False Positive???
« Reply #18 on: November 17, 2018, 11:43:13 PM »
I just tried the Ebay login with Internet Explorer, and Avast put an item in the Virus Chest... I deleted immediately. i am running a boot scan for safety sake.

Also tried it on a second machine - Avast ids the threat as before.

Wonder what is going on? Hard to believe the Ebay login is infected and there is no word about it.....


Hello:

I just got the same message from Avast
that this threat was avoided here is the
report:

Threat name: JS:Redirector-BMU [Trj]

URL: https://www.ebay.com/rdr/js/s/rrbundle.flat.min.js

Process: C:\Program Files\Mozilla Firefox\firefox.exe


I tried it on a new computer with Avast
and it turned up the same warning
about this same Redirect.

Is this a false positive?

I was able to logon to ebay and conduct
business as usual but I'm somewhat
worried about this.  I ran Malawarebytes,
SuperAntiSpyware, a number of other
stand alone scanners such as Viper Rescue.
Nothing.  And Avast other than this
warning showed nothing when I did the
suggested scan included with the warning.

Someone please reply.  I'm new here
and never posted before.  I noticed others
on the internet reporting the same exact
same problem when siging in to ebay.

Thanks for any help I love Avast.

« Last Edit: November 18, 2018, 02:50:12 AM by Mike706 »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33373
  • malware fighter
Re: Ebay Login - False Positive???
« Reply #19 on: November 18, 2018, 12:50:05 AM »
This was an earlier analysis of that specific uri:
https://www.hybrid-analysis.com/sample/92f0cef3f180ee7c220e6aab82b0bb8c7a67904d4c4c6f02b5c13a6d18e634e1?environmentId=100
What HonzaZ meant was an anti-detection stealthyness: Creates a resource fork (ADS) file (often used to hide data) 1/67 reputation engines marked "-http://www.ebay.com" as malicious (1% detection rate)
source
External System
relevance
10/10
Various AV will return it as clean, but we see no best policies followed here  :D

polonus (volunteer website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline rfkco

  • Newbie
  • *
  • Posts: 2
Re: Ebay Login - False Positive???
« Reply #20 on: November 18, 2018, 03:29:26 AM »
Posted by: polonus
« on: Nov 17 at 12:50:05 AM »
Quote
Various AV will return it as clean, but we see no best policies followed here

The subject of this thread was "Ebay Login - False Positive???"  So is Avast posting a False Positive?

As an additional protection from java script redirect type malware do you recommend using a browser extension in Firefox like NoScript?  If this malware, JS:Redirector-BMU [Trj], were real, would an extension like NoScript stop it?  The reason I ask is that today with NoScript active, Avast does not flag a threat warning when I get to the Ebay login page.  If I turn NoScript off, Avast flags the threat "We've safely aborted connection to www.ebay.com because it was infected with JS:Redirector-BMU [Trj]."     


Offline zdik

  • Newbie
  • *
  • Posts: 4
Re: Ebay Login - False Positive???
« Reply #21 on: November 18, 2018, 11:37:46 AM »
Будет ответ то какой?
Аваст, хром, лиса, опера все ругаются на js:redirector-bmu когда пытаюсь авторизоваться
https://www.virustotal.com/ru/file/84b5b0825e844669ff4021a3c5b650f66a0eb6ee23c71c8d9fa461198bceef7c/analysis/1542467129/

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 72843
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Ebay Login - False Positive???
« Reply #22 on: November 18, 2018, 11:41:35 AM »
Please post English here, else use the forum section for your language.
-> https://forum.avast.com/index.php?board=21.0
Win 8.1 [x64] - Avast PremSec 21.10.6772.IBC [UI.679] - EEK - Firefox ESR 91.3 [NS/uBO/PB] - TB 91.3.2
Avast-Tools: Secure Browser 96.0 - Cleanup 21.3 - SecureLine 5.14 - Driver Updater 21.3 - CCleaner 5.87
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33373
  • malware fighter
Re: Ebay Login - False Positive???
« Reply #23 on: November 18, 2018, 01:28:33 PM »
Also consider these scan results: https://webcookies.org/cookies/www.ebay.com/20254066
a -12 security score... also consider: https://webcookies.org/ssl/report/www.ebay.com/15798
Error here: hint #1: 'content-type' header media type value should be 'text/javascript', not 'application/javascript';
Static resources should have a long cache value (31536000) and use the immutable directive: public, max-age=0;
Response should be compressed with Brotli when Brotli compression is requested over HTTPS

But no security implications seen there. Do we have to reackon with an AVG/avast FP in this case?
I see a retirable library here: https://retire.insecurity.today/#!/scan/92018e8cedcf9a9e4204faa410bf76be8a80dac2e5fd8929118a0f0727f6baaf

Domain is not malware free no way: https://www.virustotal.com/#/domain/www.ebay.com

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline rfkco

  • Newbie
  • *
  • Posts: 2
Re: Ebay Login - False Positive???
« Reply #24 on: November 18, 2018, 04:44:43 PM »
polonus - my apologies.  I did not notice that at the bottom of each of your posts you say "Use NoScript, a limited user account and a virtual machine and be safe(r)!"    Thanks for this advice.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33373
  • malware fighter
Re: Ebay Login - False Positive???
« Reply #25 on: November 18, 2018, 05:12:53 PM »
Hi rfkco,

You're welcome. Yep, NoScript and also uMatrix for that matter are solutions that will always work both for present and even for future (3rd party) script threats. Giorgio Maone presented a wonderful tool for us all to keep us much more secure inside the browser.  We all  know that JavaScript can be the royal way into your device's OS for malware, adware, bloatware and potentially unwanted code.

Only if users were more aware of the benefits like we are, it would be much more secure under everyone's browser-hood.

Have a nice day and again thanks for reporting here,  stay safe and secure both offline and online,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline zdik

  • Newbie
  • *
  • Posts: 4
Re: Ebay Login - False Positive???
« Reply #26 on: November 18, 2018, 06:13:02 PM »
polonus, NoScript plugin for FF blocks ebay

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85956
  • No support PMs thanks
Re: Ebay Login - False Positive???
« Reply #27 on: November 18, 2018, 06:42:36 PM »
polonus, NoScript plugin for FF blocks ebay

I don't know why that would be the case. Given eBay is a very high traffic site, that NoScript would want to block.

That said, we would need more details, screenshot or the wording to see why.

I no longer use NoScript (uBlock Origin) so I can't check.  However, you should be able to change NoScript to allow it.  But I wouldn't do that until we find why it is blocked.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33373
  • malware fighter
Re: Ebay Login - False Positive???
« Reply #28 on: November 18, 2018, 10:05:28 PM »
Hi DavidR,

I do not use NoScript nor uMatrix in a browser, that I came to appreciate some time ago for it's effectiveness and that is Avast Secure Browser. Whenever for out of the ordinary requests and scanning I browse browsers like Iridium, beaker or Brave.

NoScript and uMatrix also always have been a bit outside the scope of the common browser user, that do not know how and why to toggle such extensions to be secure under all circumstances. I mean to know what main and third-party scripts to block and not allow or not to block and to allow.

Some links from ebay are being blocked for me like: -https://pagead2.googlesyndication.com/pagead/osd.js & -https://pagead2.googlesyndication.com/pagead/osd.js but more as ads are being blocked...

See some of the privacy hick-ups at ebay's: https://privacyscore.org/site/117501/ 

1. See all known 3rd party scripts and known trackers, 24 & 9.
2. Find that server is vulnerable to secure-client-initiated renegotiation,
3. Find that no referrer-policy header is being set.
4. See server is vulnerable to the SWEET32 attack.

Damian
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85956
  • No support PMs thanks
Re: Ebay Login - False Positive???
« Reply #29 on: November 19, 2018, 12:03:14 AM »
@  polonus
Off Topic:
Since I can't use Avast Secure Browser on all systems, I won't be installing it on any.  Plus I'm still not a fan of Chrome or chromium based browsers.

Back On Topic:
I certainly wouldn't say NoScript is particularly complex.
I never mentioned uMatrix which is more complex, like the RequestPolicy add-on that I also used in the past.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security