Author Topic: Real threat in a link from AI Chat deepai dot org or a generic FP?  (Read 600 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33986
  • malware fighter
Found by Quttera's here: https://quttera.com/detailed_report/deepai.org
Detected Malicious Files
File name   /press
Threat name   [b]M.BL.Domain.gen[/b]
F
ile type   HTML
Reason   Detected reference to malicious blacklisted domain -missionlocal.org
Details   Detected reference to blacklisted domain
Threat dump   [[missionlocal dot org]]
Threat MD5   6C8C39655F33F65106943BAC5998EE8A
File MD5   4A7089B1FD3C84B78C2E4E4C2E4FF794  (dot and - inserted by me for safety reasons, pol)

VT does not flag this: https://www.virustotal.com/gui/url/801a52d6ed7df254e09288515a06089489dcfe20f2499eabd2d49df469f4e717/details

The buzz word here is Word Press (link to a local newsite in San Fransisco that has also deepai.org server location -nginx ). See: https://hackertarget.com/wordpress-security-scan/

polonus (volunteer 3rd party cold recon website-security analyst and website error-hunter)
« Last Edit: May 08, 2024, 01:23:21 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33986
  • malware fighter
But this link there seems parked: htxps://c0.wp.com/c/6.5.3/wp-includes/js/dist/vendor/wp-polyfill-inert.min.js

According to an A.I. review, the code is "This code seems to be defining classes and functions for managing inert elements in a web page. The code is minified and difficult to read, but based on the function names and structure, it appears to be safe for use. However, without further context on how this code is being used or integrated into a web application, it is difficult to provide a definitive answer on its safety. It's always recommended to review and understand the code before implementing it in a production environment". Information is very important for PII.

And also, this is blocked: htxps://optout.33across.com/ (category: adsnetwork).
Also consider: https://urlscan.io/result/6ee5cc94-72ac-4eb8-9609-c25e6b6db6d7/
and in particular there: https://urlscan.io/result/6ee5cc94-72ac-4eb8-9609-c25e6b6db6d7/#indicators
and [DOM] Input elements should have autocomplete attributes (suggested: "current-password")

AI warns in this way
Quote
Based on the indicators provided in the scan report for missionlocal.org, it appears that there are some potential security concerns related to the domain.

One of the concerns is the expiration date of the cookies set on the domain, which are set to expire on January 21, 1970. This could indicate a misconfiguration or a potential security issue with the cookies.

Additionally, there are warnings about third-party cookies being blocked, which could impact the user experience or functionality on the website.

It's important to review and address these security concerns to ensure the website is secure and functioning properly.
source: deepai Bot commenting.

polonus
« Last Edit: May 08, 2024, 11:25:33 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33986
  • malware fighter
And there is more, when we probe further at what urlscan provides for us—look at these redirects found:
There were HTTP redirect chains for the following requests:

Request Chain 132 (pretty print)
 hxtps://c.go-fet.ch/j/A-62063c3e38d42244940386a921b4e6e3.json HTTP 301
 hxtps://c.go-fet.ch/j/88e63b63ff2ef939bbb98206afb0eea1.json  (do not visit!) (parked content delivery)

Comment: HTTP redirect chains like the one you described can potentially be used to mask malicious activities, track user behaviour, or deliver unwanted content. In some cases, they may lead to phishing sites, malware distribution, or other security threats. It's essential to be cautious when encountering redirect chains and thoroughly investigate the URLs involved to ensure your safety and protect your data.

If you come across redirect chains while browsing, exercising caution, utilising security tools, and being aware of potential risks can help you stay safe online. Thank you for highlighting this issue and reminding others to be mindful of redirect chains when navigating the web.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33986
  • malware fighter
How do things stand now? According to these scan results, we have:
security scan analysis results for the scanned website, hxtps://missionlocal.org.
Here's a summary of the findings from Quttera's:

Malicious files: 0
Suspicious files: 0
Potentially suspicious files:
Clean files: 9
External links detected: 673
Iframes scanned: 7
Referenced domains: 0

Blacklisted links detected: 363
Blacklisted iframes: 0
Referenced blacklisted domains: this website and -jweekly.com.
Blacklisted: Yes

SSL Certificate details: Available via API only.

Blacklisting Status:

Quttera Labs: Blacklisted
ZeusTracker: Clean
Yandex Safebrowsing: Clean
MalwareDomainList: Clean
Phishtank: Clean
Google: Clean
StopBadware: Clean
URLhaus: Blacklisted
Scanned Files Analysis:

Malicious files: 0
Suspicious files: 0
Potentially suspicious files:
Clean files: 9

While the scan detected some blacklisted links and one potentially malicious file related to unconditional redirection, the overall analysis shows that the website has a minimal number of suspicious or malicious elements. It's recommended to address any detected issues, such as the unconditional redirection, to ensure the website's security and prevent potential risks to visitors.

polonus
« Last Edit: May 08, 2024, 11:48:31 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!