Avast blocked Paypal, saying infected by HTML:PhishingPP-DH[Phish]

[avragorn]

Hello,

I contact you because approximately a half hour ago, I had to use Paypal to send some money to a friend, on Firefox and I was using Private Browsing, and AVAST suddenly blocked Paypal, I got a message saying "infected by HTML:PhishingPP-DH[Phish]"



I tried with Chrome and Internet Explorer, impossible to reach Paypal, like if Paypal was blocking it.

I tried again a few minutes later on Firefox (Private Browsing again), and it perfectly worked, I sent the money to my friend. I tested on Chrome and Internet Explorer too again, the Paypal site was reachable again.

Was it a false positive and it was fixed between my tries or is there a problem ?

I am using Paypal almost every day, it is the first time AVAST did that.

Thanks

- avragorn -

[Pondus]

I am using Paypal almost every day, it is the first time AVAST did that.

Maybe a first for you, but this PayPal detection has been reported several times this year ... search forum


sticky post at this section top, how to report  >>  https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438

[avragorn]

Yes, I have found a few topics here but the names are not exactly the same, so I preferred to ask, in case it was a real phishing and not a false positive.
Thanks

edit : well, I just tested again, and AVAST blocks Paypal again. 2 hours ago it worked after a few minutes, now it happens again

[Pondus]

edit : well, I just tested again, and AVAST blocks Paypal again. 2 hours ago it worked after a few minutes, now it happens again

Then report it and avast lab will tell you if it was a FP or not

[avragorn]

I did it, thanks

[polonus]

Next to avast (and therefore also including avg);
PWS:HTML/Phish.DD  is also detected by Windows Defender,
re: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=PWS:HTML/Phish.DD

This is known, when genuine, as a so-called "supply chain attack",
Aliases: Trojan-PWS.HTML.Phish (Ikarus) Trojan-Spy.HTML.Fraud.ix (Kaspersky).
We have observed these phishing pages using the following page names to steal your information:

Account Verification.html
Account.html
PP-658-119-347.htm after filling out the form,
redirects to hxxp://95.154.192.201/~review/cgi-bin/www.paypal.com.php

It is a webpage posing as itself as a legitimate PayPal webpage.
Above Info credits go to Microsoft's Analysis by Patrik Vicol.

If all of the above is not there, we have a FP.

polonus (volunteer website security analyst and website error-hunter)

[avragorn]

Thank you very much

It is still happening. But if I log in, it is the real Paypal, I can send some money to my friend. I checked the microsoft link you posted, in the symptoms I read :

"The following may indicate the presence of this malware:

    -An email inviting or requesting you to fill in your online banking or credit card details
    -The display of the following pages, or ones similar, that ask you to fill out your PayPal, online banking or credit card details: .... "

I don't see anything like this.
I scanned with AVAST and Malwarebyte's Antimalware, no infection detected on my computer.

Thanks

[avragorn]

If all of the above is not there, we have a FP.

polonus (volunteer website security analyst and website error-hunter)

It is difficult to say that all of the above is not there, because AVAST antivirus says that it blocks the element infected by the phishing, so after logging in, nothing of the above is there. If AVAST antivirus didn't block the element, maybe all of the above would be there ?

I contacted Paypal on Twitter through their help account @askpaypal, I will see what they will answer.

[polonus]

Hi avragorn,

Remember the original detection of this malware goes back to 2017.
That is a factor that going against it being a genuine detection.

https://toolbar.netcraft.com/ provides you in a blink of an eye information of how long a website has been up.
Also read up here via this link:
https://www.thesslstore.com/blog/5-ways-to-determine-if-a-website-is-fake-fraudulent-or-a-scam/
Quttera still flags here: https://www.virustotal.com/#/url/0e38faf95f1cbbe723ff0f54de00a267a11c59136f1576ff58051a087a381c68/detection
for the http version of the page: https://www.virustotal.com/#/domain/www.paypal.com
Sun Dec 2 16:35:20 2018
Server IP address:    104.64.36.99 -> https://quttera.com/detailed_report/www.paypal.com

/au/home
Severity:   Malicious
Reason:   Detected reference to blacklisted domain
Details:   Detected reference to malicious blacklisted domain -app.adjust.com ?
File size[byte]:   69141
File type:   HTML
Page/File MD5:   5F9A367A38093A2ED2CB4BB32CA70435
Scan duration[sec]:   0.721

polonus

[avragorn]

Thank you very much Polonus

For me it is a false positive.

Even if I find weird that other antiviruses find it too.

The problem still occurs today.

(edit) : I contacted Paypal on twitter yesterday, they just replied, they asked me my email address and they forwarded my message to the technical service of Paypal, so someone from the technical service will email me soon. At least they will check their site and if they find anything wrong, they will do what it needs to remove it.

[avragorn]

Prokop from the AVAST team just emailed me since I reported it to the lab :

"Hello,

Thank you for reporting this.

Our virus specialists have been working on this problem and it has now been resolved. The PayPal website isn't detected by Avast anymore.

We are sorry for the inconvenience. If you have any further questions, don't hesitate to contact me again.

Best Regards,
Prokop
The Avast Support Team"

The database has been updated a few minutes ago, so I tested, and as Prokop wrote, AVAST doesn't detect it anymore.

Problem fixed

Thank you very much to all the AVAST team

- avragorn -

[_George_]

It blocks again!