Client Impact! False Positive: Site Blocked - URL:Phishing

[adam.bogart]

We run an online sales platform serving clients across the country. It's well known in our vertical (telecommunications), and widely used.

Friday June 18 we had angry clients telling us that our platform had been blocked by Avast for URL:Phishing. They are actively losing orders and their clients are questioning the security of the site.  I installed Avast to see this for myself, and yes the site is blocked - with no explanation, detail, nothing to go on at all.  I seem to only be able to fill out a false positive form. In the case of business sites, including this case, measurable revenue is being lost.

Our platform is on hxxps://order.lvmtech.com  - we run on the subdomain which points to our platform.  It's proprietary code.

They have a main site which is also blocked:    hxxps://www.lvmtech.com - it's WordPress, run by the clients - could this be the cause? Would Avast also block the "order" subdomain?

I need to determine root cause on this block.  I've read through the forums and have used various links to scanners and URL analysis tools. Nothing suspicious has shown up.

Are the Avast techs here? Can I find out what's happening?

Thanks very much

[Pondus]

Report it.  https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438

[polonus]

insecure = -https://66.212.168.157.tor.pathcom.com/ with privacy error
Not flagged by other vendors - https://www.virustotal.com/gui/url/716b0dfd29199427ec2e5a15de0ce6d03b66819882f0f0b3895466698482d50c?nocache=1  Some flag this address for violence and hate (e.g. Dr.Web's & Bitdefender's),
see all the outgoing links: https://www.virustotal.com/gui/url/716b0dfd29199427ec2e5a15de0ce6d03b66819882f0f0b3895466698482d50c/links
See issues: https://en.internet.nl/site/order.lvmtech.com/2156722/
Nothing here: https://quttera.com/detailed_report/order.lvmtech.com

polonus

[adam.bogart]

Hi Polonus,

Thanks for the reply! - what is "https://66.212.168.157.tor.pathcom.com/" ?  What is this?  Following it goes to the site. 

I'm so confused - Dr. Web says the link is connected to violence?  They are a dealer of phones and GPS services. Then I look up the site itself on VirusTotal and it shows none of that - just Information Technology.

As for the other warnings, I see they are suggested, but not having the suggested security features indicates malware, or that we are phishing.  I need to do PCI compliance scans on a regular basis, which currently all pass.  Things like IPV6 are not required, similar to HSTS (? I need to research this).

[polonus]

Hi adam.bogart,

Do not give this link as live - break as hXXtps as Google Safe browsing alerts a privacy alert and blocks it inside a Google Chrome browser.

Report a potential FP to avast team and wait for their reply.
Like with this form: https://www.avast.com/false-positive-file-form.php#pc

What answer was there when you reported?

See: https://sitereport.netcraft.com/?url=https://66.212.168.157.tor.pathcom.com
See: https://sitereport.netcraft.com/?url=https://www.lvmtech.com  (subject alternative name when entering -https://66.212.168.157.tor.pathcom.com

Should take this up with Google Xenon, Nimbus, Argon - Certification,
where does pathcom dot com comes in???

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

[adam.bogart]

I got a generic reply this morning that "the reported URL was checked by Avast virus specialists and based on the findings the detection was removed. The website is now marked as clean in the Avast virus database." 

No root cause, and not whether the "www" or the subdomain caused the issues.  No fixes had to be made - so it was just a costly mistake?

Any Avast techs, if you have any information that would be great.  The client will blame us (the subdomain), but I believe it's the "www" that caused this.

Thanks

[polonus]

We see now Google also paid attention - https://www.virustotal.com/gui/ip-address/66.212.168.157/details
Google Safebrowsing initiative, and what would the community be without them?

Also see: https://sitereport.netcraft.com/?url=https%3A%2F%2F66.212.168.157.tor.pathcom.com

Visiting this address with Tor I get

Warning: Potential Security Risk Ahead

Tor Browser detected a potential security threat and did not continue to -66.212.168.157.tor.pathcom.com.
If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.

What can you do about it?

The issue is most likely with the website, and there is nothing you can do to resolve it.
You can notify the website’s administrator about the problem.

Well that is what has been done through this thread.
Question remains - why is it being grey-listed by Google's?

Re: https://urlscan.io/result/c5acc016-9cba-4cde-bf2f-11e8dd6a093d/
where it normally redirects to -www.lvmtech.com

See shodan report: https://www.shodan.io/search/report?query=66.212.168.157.tor.pathcom.com   Safe to open
Restrictions not found - no CSP ...

trackers found:

-googleads.g.doubleclick.net

-static.doubleclick.net

-use.fontawesome.com

-www.google-analytics.com

-play.google.com

-www.google.com

-www.googletagmanager.com

-fonts.gstatic.com

-www.gstatic.com

-www.youtube.com


polonus