Author Topic: URL:Phishing https://dns.google/dns-query  (Read 1161 times)

0 Members and 1 Guest are viewing this topic.

Offline mehuge

  • Newbie
  • *
  • Posts: 7
URL:Phishing https://dns.google/dns-query
« on: March 03, 2023, 11:24:02 AM »
All of a sudden I have started getting these avast alerts.

  Avast Web Shield alert
  Multiple web
  We've blocked a threat URL:Phishing on https://dns.google/dns-query
  from being downloaded.

  Threat Name: URL:Phishing
  Severity: Medium
  Website: https://dns.google/dns-query
  Process: /Applications/Google Chrome.app/Contests/Frameworks/.../Google Chrome Helper
  Detected by: Web Sheild
  Status: Threat blocked

I am going to hazard a guess, this is chrome making DNS queries over https.

I am getting numerous alerts every minute.

Due to lack of context and information about this supposed threat, I have assumed a false positive and allowed these requests just to stop the avast spam.
« Last Edit: March 03, 2023, 11:29:48 AM by mehuge »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: URL:Phishing https://dns.google/dns-query
« Reply #1 on: March 03, 2023, 01:30:10 PM »
Flagged by just one vendor: https://www.virustotal.com/gui/url/b8f334f0e0a1e7bfd45032529d0eef7807fd2a5d77666b1d1c4bb62918d0dfcf

Connection errors - http - https 404 error

See: https://urlscan.io/result/7711d9d2-f284-420f-83ef-0d5493504975/

See initial request kicks-up a 404 error: https://urlscan.io/result/7711d9d2-f284-420f-83ef-0d5493504975/ (due to a malformed or illegal request)

See: https://sitereport.netcraft.com/?url=https://dns.google  (dns.google = OK)

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Tom610

  • Full Member
  • ***
  • Posts: 121
Re: URL:Phishing https://dns.google/dns-query
« Reply #2 on: March 03, 2023, 01:38:21 PM »
Due to lack of context and information about this supposed threat, I have assumed a false positive and allowed these requests just to stop the avast spam.

Confirmed. We also have a bunch of customers with detections like that.

From what I see here is that Avast Clients since end of feburary are blocking almost over all components (webshield, behavior shield, scan/fileshield) more than it used to be... See my other post regarding this...

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: URL:Phishing https://dns.google/dns-query
« Reply #3 on: March 03, 2023, 03:09:36 PM »
You may also resolve in a direct manner, like: https://dns.google/resolve?name=
complete it with hostname etc. else it will also kick-up a 400 (Bad Request)!1

Random example, e.g.: https://dns.google/resolve?name=forum.avast.coml&type=A, resolving as:
Quote
{"Status":3,"TC":false,"RD":true,"RA":true,"AD":true,"CD":false,"Question":[{"name":"forum.avast.coml.","type":1}],"Authority":[{"name":".","type":6,"TTL":86398,"data":"a.root-servers.net. nstld.verisign-grs.com. 2023030300 1800 900 604800 86400"}]}

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!