Author Topic: Help with URL:Phishing  (Read 931 times)

0 Members and 1 Guest are viewing this topic.

Offline Giulio98b

  • Newbie
  • *
  • Posts: 2
Help with URL:Phishing
« on: October 07, 2022, 01:14:54 AM »
Hello, today I was using my PC and after browsing and playing games I’ve found this alert 5 times at different hours in Avast notifications (I have silent mode on): see the attachment, but the URL is “rings.strn.pl”.

I don’t know which website or program did this, I tried to re-open some games and websites I’ve used today but the notification doesn’t appear anymore. Could someone check for me some information about this URL? Is it a virus? Google didn’t help me. Thanks in advance.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87085
  • No support PMs thanks
Re: Help with URL:Phishing
« Reply #1 on: October 07, 2022, 01:41:07 AM »
This seems strange with a top level domain of .pl indicates Poland, but the server is apparently in the USA - https://ipaddress.com/website/strn.pl

One other indicating Phishing - https://www.virustotal.com/gui/url/911b3f09dfa6371f490a0c4146036e985151e5c5a558cdf9e79c79f071533ff2

Webpage Security Score F and outdated software - https://snyk.io/test/website-scanner/?test=221006_AiDc5G_H2H&utm_medium=referral&utm_source=webpagetest&utm_campaign=website-scanner

Some security failures here - https://en.internet.nl/site/rings.strn.pl/1729649/

Scan failed - timeout - https://sitecheck.sucuri.net/results/rings.strn.pl

Is this game played via your browser or its own interface  ?
Not being a gamer I don't know if this is a link that it is using for some purpose or other in the game (that you would have to check with the game source). 
If it is played via your browser, which one and check for any new or recently updated extensions or add-ons.

You could try launching the game without silent mode enabled, this should trigger the Avast Alert like my attached image.  Hopefully this would indicate the executable responsible for the connection.

So it would appear there are just reasons for this detection, had you had silent mode off you would have see the attached image.
 
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.10.6038 (build 22.10.7633.734) UI 1.0.733/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Giulio98b

  • Newbie
  • *
  • Posts: 2
Re: Help with URL:Phishing
« Reply #2 on: October 07, 2022, 03:56:07 AM »
This seems strange with a top level domain of .pl indicates Poland, but the server is apparently in the USA - https://ipaddress.com/website/strn.pl

One other indicating Phishing - https://www.virustotal.com/gui/url/911b3f09dfa6371f490a0c4146036e985151e5c5a558cdf9e79c79f071533ff2

Webpage Security Score F and outdated software - https://snyk.io/test/website-scanner/?test=221006_AiDc5G_H2H&utm_medium=referral&utm_source=webpagetest&utm_campaign=website-scanner

Some security failures here - https://en.internet.nl/site/rings.strn.pl/1729649/

Scan failed - timeout - https://sitecheck.sucuri.net/results/rings.strn.pl

Is this game played via your browser or its own interface  ?
Not being a gamer I don't know if this is a link that it is using for some purpose or other in the game (that you would have to check with the game source). 
If it is played via your browser, which one and check for any new or recently updated extensions or add-ons.

You could try launching the game without silent mode enabled, this should trigger the Avast Alert like my attached image.  Hopefully this would indicate the executable responsible for the connection.

So it would appear there are just reasons for this detection, had you had silent mode off you would have see the attached image.

Thank you for your quick and comprehensive response.

I have tried in these hours to re-perform all the actions on my computer again with silent mode turned off but without getting any alerts from Avast.
The games that I played today are famous and trusted games with their own dedicated launcher, I have installed external mods from reliable sources for these games, but by relaunching the game now I don't get any alerts from Avast. So I don't think that's the problem.

Searching on Google the keyword “strn pl” on the top searches I found any.run report (attached screenshot) that may be related, but I didn’t click it because I don’t know if it’s a safe website and I’d like to wait for the advice of an expert. Thank you again for your time.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33582
  • malware fighter
Re: Help with URL:Phishing
« Reply #3 on: October 07, 2022, 01:25:06 PM »
Additionally to what DavidR reports we see this for the server of -rings.strn.pl
Quote
server   Server value has been changed. Typically you will see values like "Microsoft-IIS/8.0" or "nginx 1.7.2".
"access-control-allow-origin" This is a very lax CORS policy. Such a policy should only be used on a public CDN.
this coming as a security header scan result.

Also see these results: https://en.internet.nl/site/rings.strn.pl/1730316/

Netcraft Risk rating - 7 red out of 10: https://sitereport.netcraft.com/?url=http://rings.strn.pl
See: -dns0.it

Obvious insecurity demonstrated here with these results: https://dnsviz.net/d/rings.strn.pl/dnssec/

This is also convincing there has been tampering going on: https://dnsviz.net/d/dns0.it/dnssec/
All such warnings like
Quote
RRSIG NSEC3 proving non-existence of -dns0.it/DS alg 10, id 18395: DNSSEC specification recommends not signing with DNSSEC algorithm 10 (RSASHA512).
RRSIG NSEC3 proving non-existence of -dns0.it/DS alg 10, id 18395: DNSSEC specification recommends not signing with DNSSEC algorithm 10 (RSASHA512).
RRSIG it/DNSKEY alg 10, id 18395: DNSSEC specification recommends not signing with DNSSEC algorithm 10 (RSASHA512).
RRSIG it/DNSKEY alg 10, id 41901: DNSSEC specification recommends not signing with DNSSEC algorithm 10 (RSASHA512).
RRSIG it/DNSKEY alg 10, id 41901: DNSSEC specification recommends not signing with DNSSEC algorithm 10 (RSASHA512).
RRSIG it/SOA alg 10, id 18395: DNSSEC specification recommends not signing with DNSSEC algorithm 10 (RSASHA512).


polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

« Last Edit: October 07, 2022, 01:39:43 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!