52.247.175.244 (MB FP)

[LensLock]

Malwarebytes Website Blocking False Positive Report

Reported By

Christian Boynton, CIO at LensLock, Inc.

Reporting Date

Nov. 13, 2020

Backup Servers / Other Affected IPs

• 52.247.175.244
• 52.247.170.110
• 52.247.170.82
• 52.247.170.209
• 52.247.172.3
• 13.72.23.59
• 52.227.155.240
• 52.227.136.127

Affected Hostnames/URLs

• hxxp://portal.lenslock.com/
• hxxp://lenslock-app-prod.azurewebsites.us/
• hxxp://mppd.lenslock.com/
• hxxp://lenslock-app-mppd.azurewebsites.us/

Search for Pre-Existing Post

This task is complete. No duplicate posts exist for any of our provided IPs in the Website Blocking forum.

Excerpt of Protection Log

Our customers have not provided log files. However, many customers are affected. We are attempting to gather logs from our customers at this time.

Issue Summary

Our users with Malwarebytes OEM software or derivative off-brand builds (utilizing the Malwarebytes engine and definition files) are experiencing web browser errors. They cannot access our site. The browser indicates the URL timed-out. After disabling the Malwarebytes website blocking services, our sites are accessible again. Systems on the same network without Malwarebytes services installed are not affected.

Requested Resolution

Please delist our stated websites and IP addresses from your list of malicious websites. We personally know and work closely with our customers and have no intention of harming them or their staff. If possible, we want to understand why our sites are on the malicious website list. Thank you for the assist! 

[thisisu]

Hello,

Sorry that this has inconvenienced your customers. We would need logs to provide further assistance. I checked our database for those IP addresses and domains you listed but they aren't being in there.

Thank you

[Porthos]

A couple have browser guard blocks and a couple have "403" errors.

[thisisu]

Just now, Porthos said:

A couple have browser guard blocks and a couple have "403" errors.

Noticing the same. Moving to Browser Guard subforum. Thank you

[LensLock]

@thisisu Thank you for the research into our issue and the post redirection.

Please let us know if any additional information is required to resolve this issue.

[thisisu]

Ok I found the issue. There was a parent block active due to a phish - https://www.virustotal.com/gui/url/aa280b901f78db08d76fdc28f0bdc5c9cebc0a3448233b85b8346a6327d87946/details

I've removed the block which should be reflected in our next database update. Thanks for your patience and for having the site cleaned. Let us know if there are any other outstanding issues.

Regards

[LensLock]

Thank you for the sleuthing @thisisu and also @Porthos. Though, we might be dealing with multiple issues here.

The IP 162.241.158.222 given by VirusTotal hosts our production marketing website and is operated by a third-party. I believe that some other unrelated marketing sites are also hosted by that IP. It was not in the original list of our affected IPs submitted here. That said, the marketing site may also be affected by this block. We are actively reaching out to the marketing firm to identify any issues. We are beginning a security review process on that site. Thank you for finding this!

Our customers reported that some of the 8 IPs listed in the OP as inaccessible (they use the domain name and a controller selects from the IPs provided). We weren't aware that the marketing site also unavailable.

[thisisu]

18 hours ago, LensLock said:

Thank you for the sleuthing @thisisu and also @Porthos. Though, we might be dealing with multiple issues here.

The IP 162.241.158.222 given by VirusTotal hosts our production marketing website and is operated by a third-party. I believe that some other unrelated marketing sites are also hosted by that IP. It was not in the original list of our affected IPs submitted here. That said, the marketing site may also be affected by this block. We are actively reaching out to the marketing firm to identify any issues. We are beginning a security review process on that site. Thank you for finding this!

Our customers reported that some of the 8 IPs listed in the OP as inaccessible (they use the domain name and a controller selects from the IPs provided). We weren't aware that the marketing site also unavailable.

In regards to the IP 162.241.158.222, it looks like there was a phish directly on the IP address : https://www.virustotal.com/gui/url/90c3bbad560580a2178af45d654f72d6e33f7171315e21b9969e0f5bf6a8fab3/details

We used to block it but it's an older block and an inactive phish and has since been removed from our database. Side note, all the IPs listed in the OP belong to Microsoft. We can't / shouldn't ever be blocking those. Little information snippet below for your reference

IP Address:   52.247.175.244
Network Name: MSFT
Owner Name:   Microsoft Corporation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IP Address:   52.247.170.110
Network Name: MSFT
Owner Name:   Microsoft Corporation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IP Address:   52.247.170.82
Network Name: MSFT
Owner Name:   Microsoft Corporation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IP Address:   52.247.170.209
Network Name: MSFT
Owner Name:   Microsoft Corporation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IP Address:   52.247.172.3
Network Name: MSFT
Owner Name:   Microsoft Corporation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IP Address:   13.72.23.59
Network Name: MSFT
Owner Name:   Microsoft Corporation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IP Address:   52.227.155.240
Network Name: MSFT
Owner Name:   Microsoft Corporation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IP Address:   52.227.136.127
Network Name: MSFT
Owner Name:   Microsoft Corporation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Hope this helps. If you have any other domains you need checked let us know

Regards

[LensLock]

@thisisu it seems that the security response to the marketing site breach here was to block *.lenslock.com which has broken our email system, these other websites. Is this a standard practice in the industry to blacklist an entire domain and all its sub-domains when a breach is detected? This would be similar to a police department shutting down an entire neighborhood after detecting a crime was committed in one house. Was the rule automatically generated or manually created?

We're still dealing with this issue and will likely be dealing with it continuously over the next few months as we remediate and protect this marketing site.

The good news is that the root issue does appear to be resolved and our customers are slowly updating their definition files. We're still getting calls, much less now.

 

[thisisu]

3 hours ago, LensLock said:

@thisisu it seems that the security response to the marketing site breach here was to block *.lenslock.com which has broken our email system, these other websites. Is this a standard practice in the industry to blacklist an entire domain and all its sub-domains when a breach is detected? This would be similar to a police department shutting down an entire neighborhood after detecting a crime was committed in one house. Was the rule automatically generated or manually created?

We're still dealing with this issue and will likely be dealing with it continuously over the next few months as we remediate and protect this marketing site.

The good news is that the root issue does appear to be resolved and our customers are slowly updating their definition files. We're still getting calls, much less now.

 

Hi,

I'm glad to hear that it has helped some. As far as whether or not it's standard or not I can't really comment. I don't know what others in the industry do. It's not unusual IMO since two or more subdomains were compromised. The rule was manually created. Hope this helps

Regards

[LensLock]

Hi @thisisu,

We really do appreciate your assistance. Regarding multiple sub-domains being compromised, we were only aware of the one (www.lenslock.com). Could you elaborate on that? I want to make sure I'm not a repeat customer here.

Thank you!

[thisisu]

Sorry, my mistake. I read your OP again and noticed you listed two subdomains of lenslock.com. But it was the root/parent itself that was compromised only:

 

http://lenslock.com/oho/onedrive.html

This is also why I couldn't initially find your domain in our database because I did search them with the subdomains provided in the OP. And yes it's standard for us to add a block as *.lenslock.com incase someone tries to access it via www. prefix. Hope this clears things up. Sorry about the false alarm on subdomains.

Regards