hellosky11 3 Posted September 21 Share Posted September 21 kindly send these websites to malware researchers, i tried sending via my gmail account to samples, but gmail is bouncing back my email, i tried every possible way, but gmail is not allowing to send me these links phishing/spam/scam websites https://forms-eu1-536591-2805-598372-2165.public.500apps.org/forms https://remixiers-web.com/ ---- they are impersonating remix.ethereum.org https://technoit.biz/norton https://docs.google.com/drawings/u/0/d/17_Dj4Lpzlt51cyIGGsB7J-jLeXAyDqV82QSDyNHh4vM/preview?dSR7r&pli=1 https://digiglobeinc.com/norton-360/ https://shop.foxmarketingservices.com/ https://www.apexaibricks.com/norton-antivirus https://123printstore.com/123-printer-setup/ https://techievibesko.pro/1Uyz/ https://dev-business-cityofdoral-com.pantheonsite.io/?email https://asymasolutions.com/printer-service.html https://driveprints.net/custom-printing/ https://wefix.solutions/custom-printer/brother/brotherprintersolution.html https://bank.hapoalim.co.in/?utm https://printerprosetup.com/printer-setup/ https://docs.google.com/drawings/d/15d9c9wYjjqu82EkpAizDdggtgnTfs4Qzo1SRKXMwqzc/preview https://postheaven.net/puppypeen9/atacadao-do-tenis-o-segredo-para-economizar-em-calcados-de-qualidade https://mangovogue.com/ hxxp://lipuvbg.mypi.co/Cal/ https://www.elitecables.shop/setup-yourself https://pladyzone.cyou/Kyrcx/#MEMAILBASE64 Quote Link to comment Share on other sites More sharing options...
itman 1,751 Posted September 21 Share Posted September 21 (edited) 1 hour ago, hellosky11 said: phishing/spam/scam websites Eset detects these domains as Suspicious resulting in a Potentially Unwanted Content alert upon attempted web site access. For a number of these domains, Eset is the only vendor at VT to do so. Edited September 21 by itman Quote Link to comment Share on other sites More sharing options...
itman 1,751 Posted September 22 Share Posted September 22 (edited) @Marcos, Eset detects this domain, https://pladyzone.cyou/Kyrcx/#MEMAILBASE64 , as suspicious at VT. However, Eset isn't blocking it in Firefox and allows access to the web site. Since the first thing the site does is to require logon to Microsoft account, this needs to be attended to ASAP. Of interest is Cloudflare intercepts the connection but deems it safe. Also of interest is Cloudflare intercepts some of these web sites as phishing prior to any determination by Eset. Edited September 22 by itman Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted September 22 Administrators Share Posted September 22 2 hours ago, itman said: @Marcos, Eset detects this domain, https://pladyzone.cyou/Kyrcx/#MEMAILBASE64 , as suspicious at VT. However, Eset isn't blocking it in Firefox and allows access to the web site. Since the first thing the site does is to require logon to Microsoft account, this needs to be attended to ASAP. Of interest is Cloudflare intercepts the connection but deems it safe. I was unable to reproduce it, the url was blocked: Quote Link to comment Share on other sites More sharing options...
itman 1,751 Posted September 22 Share Posted September 22 13 minutes ago, Marcos said: I was unable to reproduce it, the url was blocked Now this is indeed interesting. Using Clouldfare DNS servers, Eset doesn't detect the domain; If I revert to my ISP DNS servers, Eset blocks access to the domain. Remember I previously noted that Cloudflare intercepted the connection, scanned it, and stated it was safe. It appears that Cloudflare DNS checking overrides Eset's Web Filtering checking. Quote Link to comment Share on other sites More sharing options...
foxtigerjungle 3 Posted September 22 Share Posted September 22 @itman So would the detection also look different with Google or QUAD9 DNS? Quote Link to comment Share on other sites More sharing options...
itman 1,751 Posted September 22 Share Posted September 22 52 minutes ago, foxtigerjungle said: @itman So would the detection also look different with Google or QUAD9 DNS? Changing Firefox DNS provider made no difference. Only way I get an Eset detection is by using my ISP DNS servers. Quote Link to comment Share on other sites More sharing options...
QuickSilverST250 0 Posted September 23 Share Posted September 23 Yes, we have found this as well. When using VPN or another DNS ESET does not detect any web or phishing links Quote Link to comment Share on other sites More sharing options...
IvanL_5306 1 Posted September 23 Share Posted September 23 13 hours ago, itman said: If I revert to my ISP DNS servers, Eset blocks access to the domain. Remember I previously noted that Cloudflare intercepted the connection, scanned it, and stated it was safe. It appears that Cloudflare DNS checking overrides Eset's Web Filtering checking. Could this be a security vulnerability? Quote Link to comment Share on other sites More sharing options...
itman 1,751 Posted September 23 Share Posted September 23 9 hours ago, IvanL_5306 said: Could this be a security vulnerability? I would consider it such in that Cloudflare DNS validation is bypassing Eset Web filtering if Cloudflare deems the web site safe and Eset does not. Only fix presently is not to use DoH in Firefox. There also might be a way to disable Cloudflare security validations in Firefox but I haven't been able to find the setting for it. Quote Link to comment Share on other sites More sharing options...
hellosky11 3 Posted September 23 Author Share Posted September 23 sharing fake android antivirus app hashes downloaded from samsung store, all the apps are developed by same vendor/person hashes: 0a8c7cfac04a4b0b094e75bd4d3ab34da1d0cab8895c6ec407a23c1d33a42aa3 f0cae7ef86c212b8dc863b78bda9f8f45706243b44b6fa71a9f390c4292ce163 c30b793c60793ae6c04f81ba787d63abe447fcbcf1a2b8efaa19b1029c4c129a cd4eb4192a1dad86297dc4241ee7dcde871aa3915db816071a715d7d3723d02a samples can be downloaded from virustotal i sent the hashes directly to bitdefender, dr.web, avira, avast, norton and they all have created detection, but eset still has not Quote Link to comment Share on other sites More sharing options...
HGStyle 0 Posted September 23 Share Posted September 23 Also maybe try https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en/ if you didn't yet, so links get reported in Chromium-based browsers of browsers supporting Google's safe browsing feature. Quote Link to comment Share on other sites More sharing options...
IvanL_5306 1 Posted September 25 Share Posted September 25 On 9/23/2024 at 11:50 PM, itman said: I would consider it such in that Cloudflare DNS validation is bypassing Eset Web filtering if Cloudflare deems the web site safe and Eset does not. Only fix presently is not to use DoH in Firefox. There also might be a way to disable Cloudflare security validations in Firefox but I haven't been able to find the setting for it. What about Google DNS? Quote Link to comment Share on other sites More sharing options...
foxtigerjungle 3 Posted September 25 Share Posted September 25 Is this a serious case? What reduces the security provided by ESET? Quote Link to comment Share on other sites More sharing options...
hellosky11 3 Posted September 25 Author Share Posted September 25 On 9/23/2024 at 10:49 PM, hellosky11 said: sharing fake android antivirus app hashes downloaded from samsung store, all the apps are developed by same vendor/person hashes: 0a8c7cfac04a4b0b094e75bd4d3ab34da1d0cab8895c6ec407a23c1d33a42aa3 f0cae7ef86c212b8dc863b78bda9f8f45706243b44b6fa71a9f390c4292ce163 c30b793c60793ae6c04f81ba787d63abe447fcbcf1a2b8efaa19b1029c4c129a cd4eb4192a1dad86297dc4241ee7dcde871aa3915db816071a715d7d3723d02a samples can be downloaded from virustotal i sent the hashes directly to bitdefender, dr.web, avira, avast, norton and they all have created detection, but eset still has not @Marcos can you get these checked thanks Quote Link to comment Share on other sites More sharing options...
itman 1,751 Posted September 25 Share Posted September 25 (edited) 12 hours ago, IvanL_5306 said: What about Google DNS? Not desirable in Firefox; https://wiki.mozilla.org/Security/DOH-resolver-policy#Conforming_Resolvers -EDIT- I set Firefox DoH DNS servers to Google DNS. Verified this was the case; Guess what? The domain, https://pladyzone.cyou/Kyrcx/#MEMAILBASE64 , was still intercepted by Cloudflare, scanned, deemed clean, and web site rendered bypassing Eset web filtering. Based on this, there appears to be no way to override Cloudflare scanning other than not use DoH in Firefox. Edited September 25 by itman Quote Link to comment Share on other sites More sharing options...
itman 1,751 Posted September 26 Share Posted September 26 (edited) 19 hours ago, itman said: The domain, https://pladyzone.cyou/Kyrcx/#MEMAILBASE64 , was still intercepted by Cloudflare, scanned, deemed clean, and web site rendered bypassing Eset web filtering. I believe I found out what is causing this. When I connect to this domain it's via IPv6. My ISP uses 6rd tunneling for its internal network IPv6 connections. This also implies DNS64 is being deployed. It appears that when DoH is used in Firefox, it is overriding ISP based 6rd processing to the effect that Cloudfare based phishing and like validation processing is being deployed. This implies it also has redirected ISP 6rd tunnel processing in some way such that Eset Web based filtering can't properly perform its validations. My ISP 6rd tunnel processing has been a constant and ongoing issue with Eset so I am not surprised by this Firefox DoH issue. Edited September 26 by itman Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.