Author Topic: False Positive: Site Blocked - URL:Phishing  (Read 870 times)

0 Members and 1 Guest are viewing this topic.

Offline Dominik30

  • Newbie
  • *
  • Posts: 2
False Positive: Site Blocked - URL:Phishing
« on: September 20, 2023, 11:30:37 AM »
Hello,

The avast software is saying that our company domain www[.]sklep[.]polysport.pl is blocked because of phishing URL.

This has caused huge concerns among our customers who had your software on their laptops and PCs. Can we understand what happened here and what had triggered the false positive?

Thank you in advance for clarification.

Kind regards

Polysport

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37644
  • F-Secure user

Offline Dominik30

  • Newbie
  • *
  • Posts: 2
Re: False Positive: Site Blocked - URL:Phishing
« Reply #2 on: September 20, 2023, 12:56:36 PM »
I've already reported this problem via https://www.avast.com/false-positive-file-form.php

However, I've been told to update my virus database which obviously is not the solution I am looking for...

Even if it would work, I cannot reach all my customers to advise them to update their Avast virus database.

The site has been also scanned via multiple scanners such as virustotal etc.

https://www.virustotal.com/gui/ip-address/185.41.68.201
https://sitecheck.sucuri.net/results/www.sklep.polysport.pl



Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 89433
  • No support PMs thanks
Re: False Positive: Site Blocked - URL:Phishing
« Reply #3 on: September 20, 2023, 01:42:10 PM »
It isn't just that sub domain but the whole domain that is being alerted on.

The VT link you posted is 2 years old:
New scan - https://www.virustotal.com/gui/url/06befde055bc5b7f2f3ef71a029ac88f9a33a333daf01869e02b7e29e3109291/detection, note the Links header (2 external links), these might also be implicated.
The second link securi.net isn't clear, whilst it gives it a "Low Security Risk" it isn't Minimal and it also gives hardening improvements.

Some pointers also given here - https://en.internet.nl/site/polysport.pl/2342724/#

My virus database is up to date and it is still detected.
Note I'm an Avast User and not an Avast Employee.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33980
  • malware fighter
Re: False Positive: Site Blocked - URL:Phishing
« Reply #4 on: September 20, 2023, 02:07:39 PM »
Witam,

Avast flags the site -https://www.sklep.polysport.pl/ as a phishing site.

Could be a SUCRO javascript phish. Obfuscation used to be phishing, your site has SUCRO javascript.

Also consider: https://www.shodan.io/host/185.41.68.201 (IP has not been reported as with abuse).
But see the vulnerabilities that shodan freports for that IP: https://www.shodan.io/host/185.41.68.224 (mainly for OpenSSH)

But wait for a final verdict from avast team,

pozdrawiam,

polonus
« Last Edit: September 21, 2023, 12:45:13 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!