Website False Positive

[BTECH 0]

Our e-commerce website is being blocked by ESET for a false positive for malware. (JS/Spy.Banker.KJ).

Please help us remove the false positive and whitelist the website: https://baofengtech.com

Thank you

[Marcos 4,243]

The detection is correct. Searching for "onload=' (function ()" should help you locate the malicious JavaScript.

[rotaru 3]

1 hour ago, Marcos said:

The detection is correct.

From 93 software on 'Virus Total" only ONE detects this site as "malicious" (and is not ESET)

[Marcos 4,243]

ESET did not blacklist the website but detect and blocks the malicious JS on it.

[itman 1,398]

I will also note that since the server associated with this web site is deploying a web application firewall, scanning of the web site via public validation sources will not show the malware on the web site:

Edited June 21 by itman

[itman 1,398]

I would also strongly advise appropriate web site temporary mitigations be deployed until this matter is resolved:

Quote

Technical Details

Trojan-Spy:W32/Banker is a large family of data-stealing trojans. Banker variants attempt to steal access information for various online banking and payment system websites. Details stolen include login credentials, passwords, PINs and so on. The stolen information is usually uploaded to a hacker's website using a webform.

The most vulnerable users are those whose logins and passwords for sensitive online banking or payment accounts remain static at each login session. For this reason, many online banking websites are changing their security processes to use one-time passwords that expire after being used once.

https://www.f-secure.com/v-descs/trojan-spy_w32_banker.shtml

Edited June 21 by itman

[BTECH 0]

6 hours ago, rotaru said:

From 93 software on 'Virus Total" only ONE detects this site as "malicious" (and is not ESET)

We did reach out to Netcraft and they have rescanned the site and they confirmed the issue was resolved (email attached).

We run both Jetpack and Wordfence website scans which confirm no malicious code detected or present, we also flushed any cache from cloud flare. Searching for "onload=' (function ()" also did not bring up anything out of the ordinary.

What are other steps we can run? Thanks!

 

[Marcos 4,243]

It's still there:

[itman 1,398]

25 minutes ago, BTECH said:

We did reach out to Netcraft and they have rescanned the site and they confirmed the issue was resolved (email attached).

What the poster of the VT results did not do was perform a web site re-scan. The results he posted are 3 months old.

When I did a rescan at VT a few hours ago, NetCraft showed no detections. I assume the previous NetCraft detection was removed some time ago.

Note that VT web site analysis is static for vendors posted there. They are not performing detailed dynamic analysis such as analyzing malicious javascript code as Eset installed web access product scanning does.

Edited June 21 by itman

[BTECH 0]

1 hour ago, Marcos said:

It's still there:

This was traced back to a HTML block in the Wordpress theme, either way - the block has been deleted.

Please confirm that the issue is resolved - thank you for your help.

[Marcos 4,243]

I've tried browsing the website and no alert was generated so it looks clean now.

[BTECH 0]

Thank you for your assistance!