Author Topic: False positive site blacklisted as phishing  (Read 9527 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Re: False positive site blacklisted as phishing
« Reply #15 on: September 23, 2018, 04:46:51 PM »
Another question.

Anyone knows if it possible to know, when and why did Avast classify the domain as vulnerable?

Thanks
G.-

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: False positive site blacklisted as phishing
« Reply #16 on: September 23, 2018, 04:57:07 PM »
Anyone knows if it possible to know, when and why did Avast classify the domain as vulnerable?
Let's see, the talkative threat lab guys will be back on Monday... ;)
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1038
Re: False positive site blacklisted as phishing
« Reply #17 on: September 24, 2018, 10:44:31 AM »
Hi,
There are two issues:
First, info.santander.com.uy was really blocked from 30th July (!!) till just now. I checked the statistics and it seems that only ~30 users saw the detection in the past 7 days, so it is not likely main cause.
Secundly, there is a wide spread infection of Mikrotic routers that appends malicious code to legit websites. This would also show as HTML:Script-inf.

To sum it up, considering that you say there were many people complaining this weekend, I would bet it is mainly because of the second possible reason.


REDACTED

  • Guest
Re: False positive site blacklisted as phishing
« Reply #18 on: September 24, 2018, 01:13:18 PM »
HonzaZ, thanks for your answer.

The domain was in development mode until friday when it went live, so somehow you classified a site under development as phishing.

The people is complaining about the block this weekend since the site went live this weekend, and I don't think the infected routers are the problem since it's running in AWS behind an ELB and using Cloudflare.

Don't you have the original reason why you blocked the domain? It would be really appreciated since Avast is widely used and we need to avoid future events like this.


Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1038
Re: False positive site blacklisted as phishing
« Reply #19 on: September 24, 2018, 02:23:31 PM »
... I don't think the infected routers are the problem since it's running in AWS behind an ELB and using Cloudflare.

It is not because your routers are infected, it is because the users' routers are infected. Search for "Mikrotik infection" and you will see what I am talking about, our blogpost is not published yet.
In short, users' routers were infected in such a way that they injected a malicious script into HTML content of all URLs (google, microsoft and most likely also santander), which then resulted in HTML:Script-inf detection. This has nothing to do with security on your side, it is just another type of man-in-the-middle attack.
As this was a massive outbreak, it is in my opinion much more probable that the detection was caused by infected routers (a number that I cannot estimate) than by the blocked "info." subdomain (a number which I estimate to 30 users total).

REDACTED

  • Guest
Re: False positive site blacklisted as phishing
« Reply #20 on: September 24, 2018, 02:28:42 PM »
That may indeed be the case.

But even so, why was the subdomain blocked?

Is it possible that given this Mikrotik infection made the Avast engine think the subdomain was indeed compromised and blocked?

Until yesterday scanning a file on disk with a reference to info.santander.com.uy resulted in a positive (I'm attaching you a file that yesterday was triggering a HTML:Script-Inf, just scanning the file, no network involved.

So the domain was obviously blacklisted.


Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1038
Re: False positive site blacklisted as phishing
« Reply #21 on: September 24, 2018, 03:47:51 PM »
Hi,
These two things are definitely not related (because the block happened before the infection of mikrotik devices), and I am not saying we didn't block it - just that there are two causes to the same result.
As for the reason, it is too far back; I have no idea why it was blocked back in July.

REDACTED

  • Guest
Re: False positive site blacklisted as phishing
« Reply #22 on: September 24, 2018, 03:58:55 PM »
Ok, that's clear.

None the less we need to understand what may have happened in order to avoid this in the future, since believe me we had an hectic weekend because of this.

I've seen reports as far back as 2016 of Avast classifying sites such as google.com of phishing: https://forum.avast.com/index.php?topic=186672.0

I assume you have an automatic procedure without human vetting before blacklisting a domain, do you have a best-practices list or criteria to avoid being flagged again? Since this is an automated procedure we're unable to rely on someone from your team actually verifying the validity of a report.

Thanks again!

REDACTED

  • Guest
Re: False positive site blacklisted as phishing
« Reply #23 on: September 25, 2018, 12:34:46 AM »
Just not to let this topic die.

Is there any best-practices or recommendation guide to avoid being automatically classified as a phishing site?

Thanks again!
G.-

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: False positive site blacklisted as phishing
« Reply #24 on: September 25, 2018, 11:49:15 AM »
Best way to go is develop with security in mind, that means keeping up with "best practices".

For any form of successful compromise, the attacker would be advised: "Use the sourcecode, Luke",so do not allow someone to intelligently poke into developer module accounts, as you may see 4 attempts per account, and they always will attack the account of your boss, as he may not be aware like you of user enumeration attacks. Go to the server application logs to know what is eventually going on.

Persistent attackers, always form a challenge. Be fully aware of the attack surface you leave open or haven't got available
(securely handled tokens, encrypt all your traffic, iFrame tags can lead to any form of exploit. Very bad, but also very commonly found).
Quote
On the subject of PHISHING. To protect your Webserver from infection, make sure you protect your root password:

Make sure you don't use it across unencrypted connections.
Make sure you don't allow direct root login over the network so nobody can perform online brute force and dictionary attack password cracking attempts. A previous article of mine can help secure your server against brute-force password cracking attempts.
Make sure your root password is strong — preferably at least 12 characters including capital and lower-case letters, numbers, special characters, and spaces.
Make sure your passwords use Blowfish instead of MD5 or DES.
To check whether your Webserver is infected, try creating a directory whose name starts with a numeral, with a command like:

mkdir 123

If it doesn't work, your system is probably infected.
(source info quote credits go to Tech Pro TechRepublic)

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

REDACTED

  • Guest
Re: False positive site blacklisted as phishing
« Reply #25 on: September 25, 2018, 02:51:25 PM »
polonus, thanks for your answer.

I don't mean no disrespect, and I truly appreciate your commitment here. But you should really read what is written before writing down your "consulting" recommendations.

The site was flagged WITHOUT being compromised, what I need is best-practices regarding Avast algorithmic flagging, not regarding how to secure a server.

My understanding by this thread, is that Avast doesn't want to recognize that their classification algorithm has some serious problems. (in the end it must be cheaper to fix by hand what the algorithm mistakenly flags, than to manually vet every flagged vulnerability).

Thanks,
G.-

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: False positive site blacklisted as phishing
« Reply #26 on: September 25, 2018, 06:19:40 PM »
Hi guillermow,

I do not like to talk cross-purposes. With general recommendations I just report what is found during 3rd party cold reconnaissance scanning and this according to my 12 years of experience in doing so. Whenever I stumble upon retirable libraries, oudated code, code errors etc. I give D- and F-status grades for the record. What you do with such "pointers" is up to you and/or your hoster/CDN etc.

Where avast detection is concerned, that is "their part of the bargain" and depending upon detection as remained by avast team. I am just a volunteer with relevant knowledge on the official avast support forums, I cannot take any responsibility for avast detection issues where these are not being actual or depending on third party reports from the avast community or other listings.  That is out of my scope. I highly respect avast team member's comments and reactions here. I guess they are glad with you reporting issues to them and also glad with what I am trying to do informing on the stand of (in)security of your website.

Have a nice day, vaya con Dios,

Damian aka polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1038
Re: False positive site blacklisted as phishing
« Reply #27 on: September 26, 2018, 10:01:24 AM »
My understanding by this thread, is that Avast doesn't want to recognize that their classification algorithm has some serious problems.
I am sorry that this is your understanding, it certainly isn't the case. We recognize that there may be false positives, both in our automatic systems and in manual analyses.

Unfortunatelly, there are so many automatic systems that there is no silver bullet. Most URLs are blocked becuase they are serving content which we deem malicious, but there are many other systems that block according to very specific rules. Also we have many automatic unblocking systems, but as your domain only had a couple of visitors during the weekend, it was not even considered (certain traffic is needed to enter the algorithm).

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: False positive site blacklisted as phishing
« Reply #28 on: September 26, 2018, 10:23:40 AM »
Also we have many automatic unblocking systems, but as your domain only had a couple of visitors during the weekend, it was not even considered (certain traffic is needed to enter the algorithm).
Interesting, thanks Honza, good to know.
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1038
Re: False positive site blacklisted as phishing
« Reply #29 on: September 26, 2018, 10:53:48 AM »
Also we have many automatic unblocking systems, but as your domain only had a couple of visitors during the weekend, it was not even considered (certain traffic is needed to enter the algorithm).
Interesting, thanks Honza, good to know.
Just to be clear - we have a couple of automatic unblocking systems, but the one that could unblock this particular domain needed bigger traffic.