False positive site blacklisted as phishing

[REDACTED]

We have our site blacklisted as phishing info.santander.com.uy, properly called from the main site www.santander.com.uy.

Can you please clarify the reasons behind this decision and how to unblock it please?

Thanks!

[polonus]

Not there: -https://www.santander.com.uy
Consider on reverse DNS: Invalid URL
The requested URL "[no URL]", is invalid.
Reference #9.af8e7b5c.1537626237.158db467
Also: https://www.virustotal.com/#/ip-address/104.82.201.165
VT responds

Oops, I know nothing about this item.
Hi there, my name is Win32.Helpware.VT... certain antivirus labs also call me W32.eHeur.BadNews.GAFE, I guess it is because every time I appear they get very upset. It looks like you found a hole in my malware net...

IP address "104.82.201.165" not found

Re: https://toolbar.netcraft.com/site_report?url=https%3A%2F%2Fwww.santander.com.uy
and https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3LnN8bnR8biN7fS5eXW0udXlg~enc

See domain search results here: https://www.virustotal.com/#/domain/www.santander.com.uy
CLean MX alerts PHISHING: https://www.virustotal.com/#/url/28a15f42b9e6b0f6a5d65dcf69e7ac145a7e14c0999653c448c228e1bbaa8b72/detection

polonus

[REDACTED]

Hi polonus, thanks for your reply.

I've already checked all the usual sites for anomaly detection and found nothing so far indicating a problem.

VirusTotal reports no problem against www.santander.com.uy nor against info.santander.com.uy (the flagged domain). NetCraft also reports no problems.

Also the info site es going through CloudFlare on ip 104.20.249.118, so I don't think that's a problem either.

Do you have any insight as of the reasons Avast has for flagging a domain? Since it's not clear at all for us what may be wrong.

Thanks,
G.-

[Asyn]

-> https://sitecheck.sucuri.net/results/info.santander.com.uy
-> https://zulu.zscaler.com/submission/f5c3cf45-d2e3-4850-acf6-9b1e1f12cc3a
-> https://www.virustotal.com/#/url/8ac9b726878c230c4f8a5cabb6904d305401c0893c4940f4e793c01c58d71883/detection

You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php

[REDACTED]

Hi, thanks for your reply!

I already reported the problem on that url, but I don't know there's someone there today.

So I'm trying to understand WHY the site was flagged in an attempt to fix it ASAP.

Certainly there's no phishing on that domain nor was it compromised by any means, so there's something about our domain that the avast algorithm didn't like.

New site went live yesterday and we have no real timeframe to wait until monday until someone from avast reviews the complain.

Any insights about what may be are really appreciated.

Thanks again,
G.-

[Asyn]

I already reported the problem on that url, but I don't know there's someone there today.

The guys from threat lab are also working on weekend.

[REDACTED]

Do you know how long does it usually take to fix a problem like this? Or if a support account exists?

[Asyn]

Usually a few hours.

[polonus]

Website is insecure in this respect according to Tracker SSL:

Website is insecure by default
100% of the trackers on this site could be protecting you from NSA snooping. Tell -santander.com.uy to fix it.

Identifiers | All Trackers
 Insecure Identifiers
Unique IDs about your web browsing habits have been insecurely sent to third parties.

dafa79a834b798f7ce114bcba5e116ee41537635149 info dot santander dot com dot uy __cfduid
Legend

 Tracking IDs could be sent safely if this site was secure.

Furthermore consider the  9 security errors here: https://webhint.io/scanner/4c67feca-5580-4371-8555-b2c0039417a7

4 vulnerable retirable jQuery libraries found: https://retire.insecurity.today/#!/scan/022399493f4b1d01b69cf4428cf2223cd8866a2f8f8711f3d8eee311375093af

polonus (volunteer website security analyst and website error-hunter)

[REDACTED]

Hi polonus, thanks for your pointers.

I've already checked most of the sites, and besides some recommendations and best practices that could be followed, none of that justifies Avast to classify the santander.com.uy domain as phishing.

The main questions here are:

Why Avast is classifying as phishing a site which obviously isn't.

Why does it take so long on their part to respond, given that there are customers complaining online about it for hours.(see attached image)

This is is really damaging on many ends, not justifiable on an outdated jquery library.

[REDACTED]

We have received no response so far from Avast, does someone know a better way to report the issue?

We've been having problems all weekend because of the misclassification.

Thanks

[Asyn]

Hi, I'll forward it for you.

[Asyn]

Info: It will be fixed in next VPS update.

[REDACTED]

@Asyn, thanks for your reply!

Do you know when is the next VPS update scheduled?

[Asyn]

You're welcome. (Nope, but most probably later today...)