Author Topic: URL:Phishing false-positive?  (Read 2002 times)

0 Members and 1 Guest are viewing this topic.

Offline AndrewNR

  • Newbie
  • *
  • Posts: 3
URL:Phishing false-positive?
« on: July 14, 2020, 11:37:06 AM »
Hi, my Free Avast Antivirus has recently started to block some subdomains of our Salesforce.com production org as a URL:Phishing. Next URLs are being blocked:

At the same time, the main https://salesoptimizer.my.salesforce.com site URL does not have this problem.

I tried to scan the https://salesoptimizer--c.na84.visual.force.com URL using the virustotal.com - no viruses detected:
https://www.virustotal.com/gui/url/29c4e27ebb953c1af69bad4583452f69fdd4110093d650b775b414817a93ba83/detection

What should I do? I wouldn't like to keep the URL exception for this site (what if a real virus/phishing will hide there once).

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76118
  • Urlaub/Vacation
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: URL:Phishing false-positive?
« Reply #1 on: July 14, 2020, 11:53:23 AM »
You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
W8.1 [x64] - Avast PremSec 22.7.7366.BC [UI.713] - Firefox ESR 91.11 [NS/uBO/PB] - Thunderbird 91.11
Avast-Tools: Secure Browser 103.0 - Cleanup 22.2 - SecureLine 5.18 - DriverUpdater 22.2 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline AndrewNR

  • Newbie
  • *
  • Posts: 3
Re: URL:Phishing false-positive?
« Reply #2 on: July 14, 2020, 12:06:48 PM »
Thanks for guiding me on this! Done.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76118
  • Urlaub/Vacation
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: URL:Phishing false-positive?
« Reply #3 on: July 14, 2020, 12:14:01 PM »
You're welcome.
W8.1 [x64] - Avast PremSec 22.7.7366.BC [UI.713] - Firefox ESR 91.11 [NS/uBO/PB] - Thunderbird 91.11
Avast-Tools: Secure Browser 103.0 - Cleanup 22.2 - SecureLine 5.18 - DriverUpdater 22.2 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33519
  • malware fighter
Re: URL:Phishing false-positive?
« Reply #4 on: July 14, 2020, 02:10:44 PM »
Has been given the clean bill of health here: https://checkphish.ai/insights/url/1594728051165/8450c7d0a1781248ec8ca843a75aaf64ce455850a5691301a0bb25a2d9821e55#
Redirecting to -https://salesoptimizersupport.force.com/login
With blockers ReferenceError: loader is not defined
 /jslibrary/LoginHint208.js:23

CSP Evaluated CSP as seen by a browser supporting CSP Version 3

checkupgrade-insecure-requests

errorscript-src [missing]
script-src directive is missing.
expand_more
errorobject-src [missing]
Missing object-src allows the injection of plugins which can execute JavaScript. Can you set it to 'none'?

On source: Javascript 11   (external 5, inline 6)
INLINE: (function() { let alreadyInsertedMetaTag = false function __insertDappDete
1,238 bytes

INLINE: if (self == top) {document.documentElement.style.visibility = 'visible';} else {
249 bytes

INLINE: var SFDCSessionVars={"server":"https:\/\/login.salesforce.com\/login\/sessionser
588 bytes

-salesoptimizersupport.force.com/jslibrary/​SfdcSessionBase208.js
-salesoptimizersupport.force.com/jslibrary/​LoginHint208.js
INLINE: LoginHint.hideLoginForm();
26 bytes

INLINE: LoginHint.getSavedIdentities(false);
36 bytes

-salesoptimizersupport.force.com/jslibrary/​baselogin.js
-salesoptimizersupport.force.com/marketing/survey/survey1/​1384
-salesoptimizersupport.force.com/marketing/survey/survey4/​1384
INLINE: function handleLogin(){document.login.un.value=document.login.username.value;doc
262 bytes

ONCLICK: /* a#edit.fr small.onclick = */ LoginHint.showEdit();
53 bytes

ONCLICK: /* button#hint_save_edit.button primary fiftyfifty right.onclick = */ LoginHint.
95 bytes

ONCLICK: /* button#hint_back_edit.button secondary fiftyfifty.onclick = */ LoginHint.show
90 bytes

ONCLICK: /* a#clear_link.clearlink.onclick = */ LoginHint.clearExistingIdentity();
73 bytes

ONCLICK: /* button#mydomainContinue.button primary fiftyfifty right.onclick = */ DomainSw
104 bytes

ONCLICK: /* button#hint_back_domain.button secondary fiftyfifty.onclick = */ DomainSwitch
140 bytes

ONCLICK: /* a#use_new_identity.onclick = */ LoginHint.useNewIdentity();
62 bytes

CSS 5   (external 1, inline 4)
salesoptimizersupport.force.com/css/​sfdc_210.css
INJECTED

INLINE: html{visibility: hidden;}a{color:#0070d2;}body{background-color:#FFFFFF;}#conten
459 bytes INJECTED

INLINE: html { visibility: hidden; }
30 bytes INJECTED

INLINE: @media print {#ghostery-purple-box {display:none !important}}
61 bytes INJECTED

INLINE: :root #content > #center > .dose > .dosesingle, :root #content > #right > .dose
170 bytes INJECTED

Wait for a final verdict from an avast team member, as they are the only ones to come and unblock,
for now I do not see that particcular page being blocked by avast's. Also Zen Mate blocks zero.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33519
  • malware fighter
Re: URL:Phishing false-positive?
« Reply #5 on: July 14, 2020, 02:32:30 PM »
Redirecting to the login site is insecure as it may produce access to internal files,
like for instance  baselogin.js, survey4 etc., both with code meant for internal use only.
Quote
/*
* This code is for Internal Salesforce use only, and subject to change without notice.
* Customers shouldn't reference this file in any web pages.
*/
Also with links to -: htxps://jeddrexler.com/
This is known as excessive info proliferation and one should hide it from accidental access.

polonus
« Last Edit: July 14, 2020, 05:05:48 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline AndrewNR

  • Newbie
  • *
  • Posts: 3
Re: URL:Phishing false-positive?
« Reply #6 on: July 15, 2020, 12:33:05 PM »
Hi polonus,

Thank you for looking into it and providing recommendations on fixing some parts. Unfortunately I am not the owner of those sites (even the support site), and most of the site HTML is rendered by Salesforce internally - so I can not adjust anything there. In any case, thank you for the feedback on this.

I have just received a response from Avast support, they marked it as safe, and it is not detected by Avast any more.

Thanks for your help!

Best regards,
Andrew