Author Topic: ilgonwallet.com blocked for pishing  (Read 2215 times)

0 Members and 1 Guest are viewing this topic.

Offline hhpkoop

  • Newbie
  • *
  • Posts: 4
ilgonwallet.com blocked for pishing
« on: May 13, 2021, 04:12:28 PM »
Hello
ilgonwallet.com is blocked for pishing, it is an open-source fork of MyEtherWallet, you can check the source code here:
https://github.com/ilgon-technologies/ilgon-wallet

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33871
  • malware fighter
Re: ilgonwallet.com blocked for pishing
« Reply #1 on: May 13, 2021, 05:00:10 PM »
Re: https://awesometechstack.com/analysis/website/ilgonwallet.com/
and https://urlscan.io/result/91bf9b62-7d2b-4630-a9db-64562fa502b4/
Could be the outgoing link:
1 Outgoing link
These are links going to different origins than the main page.

URL: -https://kb.myetherwallet.com/
Title: Help Center

Wait for a final verdict of avast team, they are the only ones to come and unblock.

polonus
« Last Edit: May 13, 2021, 05:05:53 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76038
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline hhpkoop

  • Newbie
  • *
  • Posts: 4
Re: ilgonwallet.com blocked for pishing
« Reply #3 on: May 13, 2021, 08:30:55 PM »

Offline hhpkoop

  • Newbie
  • *
  • Posts: 4
Re: ilgonwallet.com blocked for pishing
« Reply #4 on: June 10, 2021, 03:55:58 PM »
Re: https://awesometechstack.com/analysis/website/ilgonwallet.com/
and https://urlscan.io/result/91bf9b62-7d2b-4630-a9db-64562fa502b4/
Could be the outgoing link:
1 Outgoing link
These are links going to different origins than the main page.

URL: -https://kb.myetherwallet.com/
Title: Help Center

Wait for a final verdict of avast team, they are the only ones to come and unblock.

polonus

It's been more than a month, when will the avast team respond?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88773
  • No support PMs thanks
Re: ilgonwallet.com blocked for pishing
« Reply #5 on: June 10, 2021, 05:05:18 PM »
Did you report it - Reporting Possible False Positive File or Website - https://www.avast.com/false-positive-file-form.php.

I have just visited it and it is still blocked 'Malware' not Phishing.

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline hhpkoop

  • Newbie
  • *
  • Posts: 4
Re: ilgonwallet.com blocked for pishing
« Reply #6 on: June 10, 2021, 05:22:23 PM »
Did you report it - Reporting Possible False Positive File or Website - https://www.avast.com/false-positive-file-form.php.

I have just visited it and it is still blocked 'Malware' not Phishing.

Thanks a lot, I just reported it now.
It says "URL:pishing" at "Threat name".

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88773
  • No support PMs thanks
Re: ilgonwallet.com blocked for pishing
« Reply #7 on: June 10, 2021, 05:34:53 PM »
You're welcome.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33871
  • malware fighter
Re: ilgonwallet.com blocked for pishing
« Reply #8 on: June 10, 2021, 11:13:11 PM »
Hi hhpkoop & DavidR,

Do not see the site blocked now, but it is kicking up an error, like given here as a quote:
Quote
{
  "exception": {
    "values": [
      {
        "type": "SyntaxError",
        "value": "Invalid regular expression flags",
        "stacktrace": {
          "frames": [
            {
              "colno": 118,
              "filename": "<anonymous>",
              "function": "HTMLDocument.v",
              "in_app": true,
              "lineno": 13
            },
            {
              "colno": 99,
              "filename": "<anonymous>",
              "function": "?",
              "in_app": true,
              "lineno": 13
            },
            {
              "colno": 115,
              "filename": "<anonymous>",
              "function": "eval",
              "in_app": true,
              "lineno": 2
            },
            {
              "colno": 115,
              "filename": "<anonymous>",
              "function": "i",
              "in_app": true,
              "lineno": 2
            },
            {
              "colno": 80,
              "filename": "<anonymous>",
              "function": "?",
              "in_app": true,
              "lineno": 4
            },
            {
              "colno": 115,
              "filename": "<anonymous>",
              "function": "c",
              "in_app": true,
              "lineno": 2
            },
            {
              "colno": 115,
              "filename": "<anonymous>",
              "function": "Object.create",
              "in_app": true,
              "lineno": 2
            },
            {
              "colno": 115,
              "filename": "<anonymous>",
              "function": "eval",
              "in_app": true,
              "lineno": 2
            },
            {
              "colno": 244,
              "filename": "<anonymous>",
              "function": "Object.E_u",
              "in_app": true,
              "lineno": 4
            },
            {
              "colno": 191,
              "filename": "<anonymous>",
              "function": "Object.t [as F_c]",
              "in_app": true,
              "lineno": 3
            },
            {
              "colno": 80,
              "filename": "<anonymous>",
              "function": "?",
              "in_app": true,
              "lineno": 4
            },
            {
              "filename": "<anonymous>",
              "function": "eval",
              "in_app": true
            }
          ]
        },
        "mechanism": {
          "handled": false,
          "type": "onerror"
        }
      }
    ]
  },
  "platform": "javascript",
  "event_id": "b545d375db4e4ad3a000f9d2e1e8dbd2",
  "timestamp": 1623358973.605,
  "environment": "web",
  "release": "5.8.0",
  "sdk": {
    "integrations": [
      "InboundFilters",
      "FunctionToString",
      "TryCatch",
      "Breadcrumbs",
      "GlobalHandlers",
      "LinkedErrors",
      "UserAgent",
      "Vue"
    ]
  },
  "request": {
    "url": "htxps://ilgonwallet.com/#/",
    "headers": {
      "User-Agent": "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36"
    }
  },
  "tags": {
    "network": "ILG",
    "service": "ilgonexplorer dot com",
    "walletType": ""
  }
}
hxttps and ilgonexplorer dot com inserted by me, pol, for obvious reasons to represent it here non-cklickable...

The server has previously indicated this domain should always be accessed via HTTPS (HSTS Policy per https://tools.ietf.org/html/rfc6797). Chrome has cached this internally, and did not connect to any server for this redirect. Chrome reports this redirect as a "307 Internal Redirect" which simply does not exist per https://tools.ietf.org/html/rfc7231#section-6.4.7 - however this probably would have been a "301 Permanent redirect" originally and the Google guys made fun of the webmaster community maybe. You can verify this by clearing your browser cache and visiting the original URL again. Please note that this is kind of a weird behavior and that Google even calls 307 redirects "a lie" in a post by John Muller titled "A search-engine guide to 301, 302, 307, & other redirects" at https://plus.google.com/+JohnMueller/posts/E4PqAhRJB2V - However server side 307 redirects do exist and we will show them. ;-)

25% of tracking was blocked for me using Zen Mate Web Firewall.

Quick source review
Quote
-ilgonwallet.com/#/
48,292 bytes, 625 nodes

Javascript 6   (external 5, inline 1)
INLINE: /* * This entire block is wrapped in an IIFE to prevent polluting the scope of
477,179 bytes

-ilgonwallet.com/js/​chunk-773d91af.3725e6c9.js
-ilgonwallet.com/js/​chunk-743f6643.3be9e4fd.js
-ilgonwallet.com/js/​chunk-ab9cb4da.4a9cfb5c.js
-ilgonwallet.com/js/​vendors.19fcadf5.js
-ilgonwallet.com/js/​app.7a3b22fe.js
CSS 11   (external 7, inline 4)
-ilgonwallet.com/​index.css
INJECTED

-ilgonwallet.com/css/​vendors.1c6a7245.css
INJECTED

-ilgonwallet.com/css/​app.41445379.css
INJECTED

INLINE: .toasted{padding:0 20px}.toasted.rounded{border-radius:24px}.toasted .primary,.t
5,276 bytes INJECTED

-ilgonwallet.com/css/​chunk-773d91af.a9ece34f.css
INJECTED

-ilgonwallet.com/css/​chunk-743f6643.fff3d513.css
INJECTED

-ilgonwallet.com/css/​chunk-ab9cb4da.b51a2e65.css
INJECTED

INLINE: -a.gootranslink:link {color: #0000FF !important; text-decoration: underline !impo
2,944 bytes INJECTED

INLINE: .BDTLL_icon_ok { background-image: url(data:image/png;base64,iVBORw0KGgoAAAA
31,825 bytes INJECTED

INLINE: .BDTLL_status { cursor: pointer; display: inline; margin-right: 3px;
595 bytes INJECTED

-fonts.googleapis.com/​css?family=Roboto:400,700&subset=cyrillic,greek,latin-ext
INJECTED

JSON 0   (external 0, inline 0)
Others 0   (external 0, inline 0)

Have a nice day ye all,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!