Address has been blocked notification

[RandyEVO 0]

Think this is the right area to post this... been getting this popup for a blocked address, https://secure-drm.imrworldwide.com IP 3.17.238.130 and cant get it to go away, made sure it wasnt notifications or extensions on google chrome and there doesn't seem to be anything else. anyone else have something similar? Image attached. Thanks!

[Marcos 4,360]

When does the alert pops up? When you launch a browser or a specific application, when browsing websites, etc? If it's browser related, does it pop up when running any other browsers?

By the way, it appears that you have ESET Endpoint v5 installed. I'd strongly recommend upgrading to EPv7.

[itman 1,436]

As far as that IP address goes, it resolves to Amazon: https://www.robtex.com/dns-lookup/ec2-3-17-238-130.us-east-2.compute.amazonaws.com .

-EDIT- As far as domain https://secure-drm.imrworldwide.com goes, it is associated with:

Quote

The IP number is 138.108.140.100. The IP number is in Schaumburg, United States. It is hosted by Route for Nielsen.

Secure-drm.imrworldwide.com has a chain of two CNAMEs ultimately pointing to secure-hongkong.imrworldwide.com. Secure-hongkong.imrworldwide.com has one IP number.

Per Robtex: https://www.robtex.com/dns-lookup/secure-drm.imrworldwide.com

Finally, IPVOID states 3.17.238.130 is not a valid IP address. Makes sense since it appears it is trying to directly access a backbone server. Appears something is screwed up DNS-wise.

Edited February 15, 2019 by itman

[Wynot 0]

I have a user that has also been getting this for a few days.  Turns out its Iheart.com.  She uses the website to play music instead of an I Heart Radio app and in the page source there are references to that site several times.  She first reported this yesterday, 2/14/2019.

The pop-up hits her desktop but doesn't register anything in the logs.

[itman 1,436]

1 hour ago, Wynot said:

Turns out its Iheart.com

The site itself is clean per URLVoid: https://www.urlvoid.com/scan/iheart.com/ .

When I connect using iheart.com, I end up at quickio.iheart.com with an IP address of 34.195.19.104. Interestingly, that also resolves to Amazon per Robtex: https://www.robtex.com/ip-lookup/34.195.19.104 .

The common theme to these alerts appears to be the connection to Amazon servers in the U.S.. Also I use EIS and are receiving no alerts on any of these connections.

-EDIT- Forgot to mention to did observe routing connections through the Amazon backbone servers.

Edited February 15, 2019 by itman

[Wynot 0]

Additional info, this is a Win 10 PC.  I have a Win 7 user who also connects to iheart.com and does not receive these alerts even though the same address is present in the source code.

[Wynot 0]

Scratch that, the Win 7 user just got her 1st popup, same information.

[Marcos 4,360]

Since the domain seems to be used for tracking and analytical purposes, we will unblock it.

[rshanwk 0]

Marcos, I am still getting blocked from this on my clients machine. As of 2/15 updated engine/defs with same results. Please advise on how to unblock. User is getting frustrated with the constant pop-ups. They are using iheart in chrome browser. Thank you.

[Marcos 4,360]

21 minutes ago, rshanwk said:

Marcos, I am still getting blocked from this on my clients machine. As of 2/15 updated engine/defs with same results. Please advise on how to unblock. User is getting frustrated with the constant pop-ups. They are using iheart in chrome browser. Thank you.

Please post the appropriate row from the Filtered websites log.