Jump to content
Prof_Bobo

ANSWERED FP Phishing Warning

Recommended Posts

The site I administer, hxxp://crm.oxifresh.com (IP 104.20.183.33) seems to be errantly triggering a Phishing warning on Malwarebytes for Android. As soon as the user navigates to any URL in the invoices section, ex. hxxp://crm.oxifresh.com/invoices, hxxp://crm.oxifresh.com/invoices/edit, etc:

image_from_ios.jpg

 

I don't see any evidence of malicious activity on this domain, and cross checked it with Google's Transparency Report's Safe Browsing tool, SpamHaus, and MXToolbox which all listed it as safe as well. 

 

Can this be fixed? 

 

Thanks!

Share this post


Link to post
Share on other sites

Can you please attach the image one more time as we are not able to access it at this point?

Share this post


Link to post
Share on other sites

Sure - here's the screencap of the error message users are getting, it's happening in both browsers tested, Chrome and Firefox:

Screenshot_20190827-114000_Malwarebytes.thumb.jpg.46096af5fd4ff1f33801c55009db35fd.jpg  313994283_Imagefromandriod.thumb.jpg.0b52930edb9ea957af6e0274b1df12b7.jpg

 

Share this post


Link to post
Share on other sites
Posted (edited)
21 hours ago, Prof_Bobo said:

The site I administer, hxxp://crm.oxifresh.com (IP 104.20.183.33) seems to be errantly triggering a Phishing warning on Malwarebytes for Android. As soon as the user navigates to any URL in the invoices section, ex. hxxp://crm.oxifresh.com/invoices, hxxp://crm.oxifresh.com/invoices/edit, etc:

image_from_ios.jpg

 

I don't see any evidence of malicious activity on this domain, and cross checked it with Google's Transparency Report's Safe Browsing tool, SpamHaus, and MXToolbox which all listed it as safe as well. 

 

Can this be fixed? 

 

Thanks!

Hi-Can you please tell us what database and versions you're running in Android? I can find neither the site nor the IP range in our database. Attach any logs generated showing the blocks, thanks.

Edited by TeMerc

Share this post


Link to post
Share on other sites

App Version: 3.7.2.1

Malware database: 2019.08.28.01

Phishing database: 2019.08.29.07

 

So, in further testing, I'm not sure this actually is anything to do with my domain specifically.

It doesn't seem to trigger on the entire domain in general, only the exact second you type out certain URLs containing "invoices", so the one on my own site " hxxp://crm.oxifresh.com/invoices/edit", type the the last "t" and the popup shows up, you don't even need to hit enter and navigate to the site.

I was also tellingly able to reproduce this other domains, like say "reddit.com/invoices", hit the last "s" and it pops up:

Screenshot_20190829-094637_Malwarebytes.thumb.jpg.2edf1562aa0091ef742f523deca25fdb.jpg

 

Or "cnn.com/invoices": 

Screenshot_20190829-094801_Malwarebytes.thumb.jpg.77df30fb587fdd53d4ecdec0117abad2.jpg

 

Some kind of overzealous protection bug? 

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.