Jump to content

phishing, spam, scam links


Recommended Posts

kindly send these websites to malware researchers, i tried sending via my gmail account to samples, but gmail is bouncing back my email, i tried every possible way, but gmail is not allowing to send me these links





phishing/spam/scam websites

https://forms-eu1-536591-2805-598372-2165.public.500apps.org/forms

https://remixiers-web.com/ ---- they are impersonating remix.ethereum.org

https://technoit.biz/norton

https://docs.google.com/drawings/u/0/d/17_Dj4Lpzlt51cyIGGsB7J-jLeXAyDqV82QSDyNHh4vM/preview?dSR7r&pli=1

https://digiglobeinc.com/norton-360/


https://shop.foxmarketingservices.com/
https://www.apexaibricks.com/norton-antivirus

https://123printstore.com/123-printer-setup/

https://techievibesko.pro/1Uyz/

https://dev-business-cityofdoral-com.pantheonsite.io/?email

https://asymasolutions.com/printer-service.html

https://driveprints.net/custom-printing/

https://wefix.solutions/custom-printer/brother/brotherprintersolution.html

https://bank.hapoalim.co.in/?utm

https://printerprosetup.com/printer-setup/

https://docs.google.com/drawings/d/15d9c9wYjjqu82EkpAizDdggtgnTfs4Qzo1SRKXMwqzc/preview

https://postheaven.net/puppypeen9/atacadao-do-tenis-o-segredo-para-economizar-em-calcados-de-qualidade

https://mangovogue.com/

hxxp://lipuvbg.mypi.co/Cal/

https://www.elitecables.shop/setup-yourself

https://pladyzone.cyou/Kyrcx/#MEMAILBASE64

 

Link to comment
Share on other sites

1 hour ago, hellosky11 said:
phishing/spam/scam websites

Eset detects these domains as Suspicious resulting in a Potentially Unwanted Content alert upon attempted web site access. For a number of these domains, Eset is the only vendor at VT to do so.

Edited by itman
Link to comment
Share on other sites

@Marcos, Eset detects this domain, https://pladyzone.cyou/Kyrcx/#MEMAILBASE64 , as suspicious at VT. However, Eset isn't blocking it in Firefox and allows access to the web site. Since the first thing the site does is to require logon to Microsoft account, this needs to be attended to ASAP. Of interest is Cloudflare intercepts the connection but deems it safe.

Also of interest is Cloudflare intercepts some of these web sites as phishing prior to any determination by Eset.

Edited by itman
Link to comment
Share on other sites

  • Administrators
2 hours ago, itman said:

@Marcos, Eset detects this domain, https://pladyzone.cyou/Kyrcx/#MEMAILBASE64 , as suspicious at VT. However, Eset isn't blocking it in Firefox and allows access to the web site. Since the first thing the site does is to require logon to Microsoft account, this needs to be attended to ASAP. Of interest is Cloudflare intercepts the connection but deems it safe.

I was unable to reproduce it, the url was blocked:

image.png

Link to comment
Share on other sites

13 minutes ago, Marcos said:

I was unable to reproduce it, the url was blocked

Now this is indeed interesting.

Using Clouldfare DNS servers, Eset doesn't detect the domain;

Eset_Phish.thumb.png.d3f390b94d35fd7dc0b8a6d75e671d4b.png

If I revert to my ISP DNS servers, Eset blocks access to the domain. Remember I previously noted that Cloudflare intercepted the connection, scanned it, and stated it was safe. It appears that Cloudflare DNS checking overrides Eset's Web Filtering checking.

Link to comment
Share on other sites

52 minutes ago, foxtigerjungle said:

@itman

So would the detection also look different with Google or QUAD9 DNS?

Changing Firefox DNS provider made no difference. Only way I get an Eset detection is by using my ISP DNS servers.

Link to comment
Share on other sites

13 hours ago, itman said:

If I revert to my ISP DNS servers, Eset blocks access to the domain. Remember I previously noted that Cloudflare intercepted the connection, scanned it, and stated it was safe. It appears that Cloudflare DNS checking overrides Eset's Web Filtering checking.

Could this be a security vulnerability?

Link to comment
Share on other sites

9 hours ago, IvanL_5306 said:

Could this be a security vulnerability?

I would consider it such in that Cloudflare DNS validation is bypassing Eset Web filtering if Cloudflare deems the web site safe and Eset does not.

Only fix presently is not to use DoH in Firefox. There also might be a way to disable Cloudflare security validations in Firefox but I haven't been able to find the setting for it.

Link to comment
Share on other sites

sharing fake android antivirus app hashes downloaded from samsung store, all the apps are developed by same vendor/person

 

hashes:

 
0a8c7cfac04a4b0b094e75bd4d3ab34da1d0cab8895c6ec407a23c1d33a42aa3
 
f0cae7ef86c212b8dc863b78bda9f8f45706243b44b6fa71a9f390c4292ce163
 
c30b793c60793ae6c04f81ba787d63abe447fcbcf1a2b8efaa19b1029c4c129a
 
cd4eb4192a1dad86297dc4241ee7dcde871aa3915db816071a715d7d3723d02a
 
samples can be downloaded from virustotal
 
i sent the hashes directly to bitdefender, dr.web, avira, avast, norton and they all have created detection, but eset still has not
Link to comment
Share on other sites

On 9/23/2024 at 11:50 PM, itman said:

I would consider it such in that Cloudflare DNS validation is bypassing Eset Web filtering if Cloudflare deems the web site safe and Eset does not.

Only fix presently is not to use DoH in Firefox. There also might be a way to disable Cloudflare security validations in Firefox but I haven't been able to find the setting for it.

What about Google DNS?

Link to comment
Share on other sites

On 9/23/2024 at 10:49 PM, hellosky11 said:

sharing fake android antivirus app hashes downloaded from samsung store, all the apps are developed by same vendor/person

 

hashes:

 
0a8c7cfac04a4b0b094e75bd4d3ab34da1d0cab8895c6ec407a23c1d33a42aa3
 
f0cae7ef86c212b8dc863b78bda9f8f45706243b44b6fa71a9f390c4292ce163
 
c30b793c60793ae6c04f81ba787d63abe447fcbcf1a2b8efaa19b1029c4c129a
 
cd4eb4192a1dad86297dc4241ee7dcde871aa3915db816071a715d7d3723d02a
 
samples can be downloaded from virustotal
 
i sent the hashes directly to bitdefender, dr.web, avira, avast, norton and they all have created detection, but eset still has not

@Marcos can you get these checked

thanks

Link to comment
Share on other sites

12 hours ago, IvanL_5306 said:

What about Google DNS?

Not desirable in Firefox;

Eset_DNS.thumb.png.9257c506b2f47f0829df437d00463f6e.png

https://wiki.mozilla.org/Security/DOH-resolver-policy#Conforming_Resolvers

-EDIT- I set Firefox  DoH DNS servers to Google DNS. Verified this was the case;

Eset_Googlw.thumb.png.dec7dd471225eadb52a44c8afafa1617.png

Guess what? The domain, https://pladyzone.cyou/Kyrcx/#MEMAILBASE64 , was still intercepted by Cloudflare, scanned, deemed clean, and web site rendered bypassing Eset web filtering. Based on this, there appears to be no way to override Cloudflare scanning other than not use DoH in Firefox.

Edited by itman
Link to comment
Share on other sites

19 hours ago, itman said:

The domain, https://pladyzone.cyou/Kyrcx/#MEMAILBASE64 , was still intercepted by Cloudflare, scanned, deemed clean, and web site rendered bypassing Eset web filtering.

I believe I found out what is causing this.

When I connect to this domain it's via IPv6. My ISP uses 6rd tunneling for its internal network IPv6 connections. This also implies DNS64 is being deployed.

It appears that when DoH is used in Firefox, it is overriding ISP based 6rd processing to the effect that Cloudfare based phishing and like validation processing is being deployed. This implies it also has redirected ISP 6rd tunnel processing in some way such that Eset Web based filtering can't properly perform its validations.

My ISP 6rd tunnel processing has been a constant and ongoing issue with Eset so I am not surprised by this Firefox DoH issue.

Edited by itman
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...