Author Topic: False positive on legitimate site is blocking our customers from logging in  (Read 2412 times)

0 Members and 1 Guest are viewing this topic.

Offline Stephen EasyCrypto

  • Newbie
  • *
  • Posts: 3
Our website's login page (easycrypto.ai) is blocked by Avast Web Shield as "URL:Phishing". This is incorrect. This is our website for customers to login through and is not a phishing site.

We have reported this via the Avast false positive form over 12 hours ago now however it is still blocked.



VirusTotal reports perfect scores: nothing wrong here!
https://www.virustotal.com/gui/url/bd0aa6784b1eea572dd2252b4b4d48e5037f6fd5586a79904cff2d5ac3f90202/detection

urlscan io also reports perfect scores: nothing wrong here!
https://urlscan.io/result/846e83da-2cc5-4d11-a316-d1f80f6bad9b/

We have also gone further to confirm that there isn't any MITM or redirection attacks happening against our customers.

Now we have taken to emailing customers a form letter explaining how to disable their use of Avast software and pinpointing Avast as the problem.

Needless to say, this is also a large financial loss for us to have our site unavailable for an entire day. This loss has been entirely caused by your incorrect classification of our login page. I will need a proper RCA for how this site came to be blocked.

Stephen

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
We have reported this via the Avast false positive form over 12 hours ago now however it is still blocked.
Hi Stephen, you should get a reply within 48 hours.
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
The "page not found" should be taken up with CloudFlare's.
This is being blocked -> -https://d3uvwl4wtkgzo1.cloudfront.net/e8af8301-45e2-41c6-9212-9421ce1b1dc7.js

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
The "page not found" should be taken up with CloudFlare's.
This is being blocked -> -https://d3uvwl4wtkgzo1.cloudfront.net/e8af8301-45e2-41c6-9212-9421ce1b1dc7.js

See insecure on same IP: -http://mypubid.com/ for instance.

Quote
Outdated JavaScript libraries detected. jquery 3.4.1
medium : Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
CVE-2020-11022
medium : Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
CVE-2020-11023

reported by retire.js
1   missing-content-security-policy
No Content Security Policy configured for this site.
source: DEVCON info.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Stephen EasyCrypto

  • Newbie
  • *
  • Posts: 3
We have reported this via the Avast false positive form over 12 hours ago now however it is still blocked.
Hi Stephen, you should get a reply within 48 hours.
Hi Asyn, thanks for your reply.

Offline Stephen EasyCrypto

  • Newbie
  • *
  • Posts: 3
The "page not found" should be taken up with CloudFlare's.
This is being blocked -> -https://d3uvwl4wtkgzo1.cloudfront.net/e8af8301-45e2-41c6-9212-9421ce1b1dc7.js

polonus
From which URL do you see that included?

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Hi Stephen EasyCrypto,

That is included on -https://easycrypto.ai/auth  comes up with a Page not found
I'm sorry, the page you were looking for does not exist.
Quote
SRC report: HTML
-easycrypto.ai/
18,345 bytes, 255 nodes

Javascript 5   (external 5, inline 0)
-www.google-analytics.com/​analytics.js
48,759 bytes

-d3uvwl4wtkgzo1.cloudfront.net/​e8af8301-45e2-41c6-9212-9421ce1b1dc7.js
-easycrypto.ai/js/​chunk-vendors.9dd1f715.js
-easycrypto.ai/js/​app.0f4ad939.js
-static.cloudflareinsights.com/​beacon.min.js
CSS 5   (external 4, inline 1)
INLINE: @font-face{font-family:'Axiforma-Black';src:url(/assets/webfonts/Axiforma-Black/
808 bytes INJECTED

-easycrypto.ai/assets/css/​ec-2.10.css
INJECTED

-easycrypto.ai/assets/fontawesome/css/​all.min.css
INJECTED

-easycrypto.ai/css/​chunk-vendors.6c0b1195.css
INJECTED

-easycrypto.ai/css/​app.ab40635f.css
INJECTED

We are still waiting for a final verdict from an avast team member for these apparent FP PHISHING findings
on various CloudFlare driven websites. Yours is one of them.
I PM-ed avast threat lab, but probably they will not reply earlier than over the week-end,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!