Author Topic: URL BlackList  (Read 4162 times)

0 Members and 1 Guest are viewing this topic.

Offline Bart4

  • Newbie
  • *
  • Posts: 16
URL BlackList
« on: July 21, 2023, 12:32:38 AM »
Starting Yesterday My browser (Chrome) which uses the extension keeps popping up with

We safely Aborted connection on ytbblockad.com because it was infected with URL blacklist..

I have blockAd extension and now disabling to see if that is the problem.
Anyone else see this?

I looked up via Whois and it is part of

Name: YTBBLOCKAD.COM
Registry Domain ID: 2772346130_DOMAIN_COM-VRSN
Domain Status:
clientTransferProhibited
Nameservers:
KIA.NS.CLOUDFLARE.COM

NEWT.NS.CLOUDFLARE.COM

Dates
Registry Expiration: 2024-04-12 09:35:00 UTC
Updated: 2023-04-12 09:35:02 UTC
Created: 2023-04-12 09:35:00 UTC
Contact Information
Registrant:
Handle: P-DPA188367
Name: Domain Admin
Organization: Whois Privacy Corp.
Email: OWNER@ytbblockad.com.customers.whoisprivacycorp.com
Phone: +1.5163872248
Mailing Address: Ocean Centre, Montagu Foreshore, East Bay Street, Nassau, New Providence, BS

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88786
  • No support PMs thanks
Re: URL BlackList
« Reply #1 on: July 21, 2023, 01:55:28 AM »
Try clearing your browser cache/history and cookies, restart the browser and see if that resolves it.

Even if you have an ad blocker I use uBlock Origin and uMatrix (not strictly an ad-blocker), avast would still be checking.

If you aren't directly trying to connect to that domain then the Avast Online Security (browser extension), isn't the problem unless it is a false positive. 

However even then it should be the Web Shield doing the blocking (not sure if that is what it is), it should throw up an Avast Alert window.
See attached Web Shield alert with details selected - I don't use the Avast browser extension.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Bart4

  • Newbie
  • *
  • Posts: 16
Re: URL BlackList
« Reply #2 on: July 21, 2023, 09:14:23 PM »
Turns out that AD-Block extension is the reason avast is reporting it. Seems someone doesn't like ad block tools.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88786
  • No support PMs thanks
Re: URL BlackList
« Reply #3 on: July 21, 2023, 09:54:32 PM »
Turns out that AD-Block extension is the reason avast is reporting it. Seems someone doesn't like ad block tools.

As I mentioned "I use uBlock Origin and uMatrix (not strictly an ad-blocker), avast would still be checking" and I don't get this issue with those.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33873
  • malware fighter
Re: URL BlackList
« Reply #4 on: July 22, 2023, 01:55:22 PM »
The site is a parked site, https://sitecheck.sucuri.net/results/YTBBLOCKAD.COM
See 7 times being flagged as malicious at VT:
https://www.virustotal.com/gui/url/dcd4c9d6942ef00011b70bf41c82fd08414c3acdf5b73d7ec0e130c745a964b6?nocache=1
Avast blocks the site as being unsafe,
9 detected communicating files flagged: https://www.virustotal.com/gui/ip-address/104.21.37.155/relations
(older results, while domains were previously SEDO-parked),
Read why this could lead to abuse: https://unit42.paloaltonetworks.com/domain-parking/
still reported frrom 2 days ago: https://www.virustotal.com/gui/domain/searaydubai.com (one of those links found as malicious)
See also: https://sitereport.netcraft.com/?url=https%3A%2F%2FYTBBLOCKAD.COM
So being on Cloudflare is not always a guarantee a website is free of abuse... (some were NAMECHEAP addresses)

polonus
« Last Edit: July 22, 2023, 11:21:05 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline ordep

  • Newbie
  • *
  • Posts: 1
Re: URL BlackList
« Reply #5 on: July 26, 2023, 07:08:18 PM »
I keep getting this warning. It started yesterday.

I'm using Chrome and no adblock.

Has anyone seen something similar?








Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88786
  • No support PMs thanks
Re: URL BlackList
« Reply #6 on: July 26, 2023, 08:03:40 PM »
Try following the instructions in Reply #1 above.
https://forum.avast.com/index.php?topic=324372.msg1707169#msg1707169
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline wpjackson

  • Newbie
  • *
  • Posts: 1
Re: URL BlackList
« Reply #7 on: July 30, 2023, 06:40:22 PM »
For the last 2 days my webmail has been blocked by Avast (paid) with URL:phishing.

This has happened on 3 computers so far, with 2 different accounts (though with the same extension). No problem if Avast is deactivated.

Is this a false positive, or does Easily genuinely have a problem? I have reported to Avast as a false positive.

https://webmail.easily.uk/#/mail/list/msg

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33873
  • malware fighter
Re: URL BlackList
« Reply #8 on: August 02, 2023, 04:13:59 PM »
Found to be OK here: https://sitecheck.sucuri.net/results/https/webmail.easily.uk/#/mail/list/msg
Neither found to be flagged here: https://www.virustotal.com/gui/url/ca68b64cf0e9c63a0f52ae3c23cc137e18058a18488fc4fd50d2fd2c82151dfe?nocache=1
For me- cdn.appdynamics.com has been blocked (tracking)
See: https://urlscan.io/result/ebaafb60-857e-4361-8a3f-5fee7f4169e0/loading
Retirable code found:
Quote

angularjs   1.3.15   Found in -https://webmail.easily.uk/b177b3c/infrastructure.js _____Vulnerability info:
Medium   XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to JQLite methods like JQLite.prepend, JQLite.after, JQLite.append, JQLite.replaceWith, JQLite.append, new JQLite and angular.element. CVE-2020-7676   
Low   angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. CVE-2020-7676   
Medium   Prototype pollution 47   12
Medium   XSS through xlink:href attributes CVE-2019-14863   
Medium   The attribute usemap can be used as a security exploit 49   
Medium   Universal CSP bypass via add-on in Firefox 51   
Medium   DOS in $sanitize 52   
Low   XSS in $sanitize in Safari/Firefox 53   
Low   End-of-Life: Long term support for AngularJS has been discontinued 54   
bootstrap   3.3.4   Found in -https://webmail.easily.uk/b177b3c/infrastructure.js _____Vulnerability info:
Medium   28236 XSS in data-template, data-content and data-title properties of tooltip/popover CVE-2019-8331   1
Medium   20184 XSS in data-target property of scrollspy CVE-2018-14041   
Medium   20184 XSS in collapse data-parent attribute CVE-2018-14040   
Medium   20184 XSS in data-container property of tooltip CVE-2018-14042   
Medium   XSS is possible in the data-target attribute. CVE-2016-10735   
jquery-ui   1.12.1   Found in -https://webmail.easily.uk/b177b3c/infrastructure.js _____Vulnerability info:
Low   XSS when refreshing checkboxes if usercontrolled data in labels 2101 CVE-2022-31160   
Medium   CVE-2021-41184 XSS in the `of` option of the `.position()` util   12
Medium   CVE-2021-41183 15284 XSS Vulnerability on text options of jQuery UI datepicker   
Medium   CVE-2021-41182 XSS in the `altField` option of the Datepicker widget   
Medium   CVE-2022-31160 XSS when refreshing a checkboxradio with an HTML-like initial text label   
moment.js   2.9.0   Found in -https://webmail.easily.uk/b177b3c/infrastructure.js _____Vulnerability info:
Low   reDOS - regular expression denial of service 2936   
Medium   Regular Expression Denial of Service (ReDoS) 22   
Low   Regular Expression Denial of Service (ReDoS) CVE-2017-18214   
High   This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale. CVE-2022-24785   1
jquery-ui-autocomplete   1.12.1   Found in -https://webmail.easily.uk/b177b3c/infrastructure.js
jquery-ui-dialog   1.12.1   Found in -https://webmail.easily.uk/b177b3c/infrastructure.js
jquery-ui-tooltip   1.12.1   Found in -https://webmail.easily.uk/b177b3c/infrastructure.js
jquery   3.5.1   Found in -https://webmail.easily.uk/b177b3c/infrastructure.js


Injected - VM995 content.js:8 injected: env: missing script "f14895c8-24ac-4fbe-82b2-760ec8b25d4c"!
Mt @ VM995 content.js:8 etc.
(anonymous) @ VM995 content.js:65

54 warnings on HTTP headers, subresource integrity errors 2, X-content-type-options, 3 errors,

Avast Online Security & Privacy now gives it the all green.

polonus (volunteer 3rd party cold recon website security-analyst and website-error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!