Jump to content

False Positive on our site


Recommended Posts

Hi Malwarebytes,

I believe there is a false positive on the site Focusmate.com.

I ran it through https://www.virustotal.com/gui/domain/focusmate.com/detection and see that Comodo Valkyrie Verdict labels it as a Phishing risk.

I then went to 

https://verdict.valkyrie.comodo.com/url/domain/result?domain=focusmate.com

 and generated a report but I don't know how to interpret it.

I believe the relevant section is:

Reputation History Lookup

Date Intelligence Type Intelligence Details Reputation Score
2022-05-12 15:32:36
Phishing Email Sender
List of email addresses on that domain that send only phishing emails 100

Is this potentially a false positive?

If not, how can Focusmate clean up their reputation in Valkyrie Verdict so that this issue is resolved and their domain gets a clean pass from all Virus Total databases?

Thank you!

Best,

Harry

Untitled-1 (1).png

Screen Shot 2022-05-12 at 11.37.42 AM.png

Edited by AdvancedSetup
Disabled live hyperlink
Link to post
Share on other sites

  • AdvancedSetup changed the title to False Positive on our site
  • Root Admin

Your own site I'm not seeing an issue aside from possibly needing some updates for your email to make it a bit safer.

Focusmate.com is on a different IP


Address lookup
canonical name     focusmate.com.
aliases     
addresses     
108.156.211.95
108.156.211.69
108.156.211.113
108.156.211.128

image.png

 

 

The link you show was:  focusmate.nyc3.digitaloceanspaces.com  which is a sub-domain of digitaloceanspaces.com  Did you rent or host with digitaloceanspaces.com perhaps? 

That returns a 403 error on VirusTotal which means it cannot actively scan it

https://www.virustotal.com/gui/url/f307214421e9886082309ca96b2b04cc1d16d66d666452c9dc5f984c88cc6392?nocache=1

Not sure what your companies connection is to digitaloceanspaces.com but they are the ones that have an IP with a known threat and why the block

 


digitaloceanspaces.com is also on a different IP

Address lookup
canonical name     digitaloceanspaces.com.
aliases     
addresses     
172.67.150.24
104.21.29.252

The IP being blocked comes from this IP

Address lookup
canonical name     nyc3.digitaloceanspaces.com.

aliases     
addresses     162.243.189.2

 

If you go to that IP address even Firefox alerts and warns you.

image.png

 

Just me grabbing the screenshot from SnagIt causes Malwarebytes to block as well due to that IP address 162.243.189.2 which is not focusmate.com

image.png

 

Link to post
Share on other sites

@AdvancedSetup thanks for your help.

So just to clarify and add context:

focusmate.com isn't my website. It's a tool that I recommend to my clients.

One of my clients uses Malwarebytes on their computer. When they went to focusmate.com they got an alert from you all about a phishing risk.

They are now not comfortable using focusmate.com because they feel it exposes them to a phishing risk.

===

6 minutes ago, AdvancedSetup said:

The link you show was:  focusmate.nyc3.digitaloceanspaces.com  which is a sub-domain of digitaloceanspaces.com  Did you rent or host with digitaloceanspaces.com perhaps? 

Digital Ocean is a cloud provider. I looked at the network traffic on focusmate.com and they use it to host images on their site.

8 minutes ago, AdvancedSetup said:

That returns a 403 error on VirusTotal which means it cannot actively scan it

https://www.virustotal.com/gui/url/f307214421e9886082309ca96b2b04cc1d16d66d666452c9dc5f984c88cc6392?nocache=1

Not sure what your companies connection is to digitaloceanspaces.com but they are the ones that have an IP with a known threat and why the block

When I click on the virustotal.com link you have there it doesn't return 403. Instead the link works and all the security tests pass.

Given that http://focusmate.nyc3.digitaloceanspaces.com/ passes virus total, what can we do to get it removed from the block list as a phishing risk?

Screen Shot 2022-05-12 at 3.33.36 PM.png

Screen Shot 2022-05-12 at 3.35.12 PM.png

Link to post
Share on other sites

@AdvancedSetup I'm reading the Virus Total report more closely and I now see the 403 status code, understood.

Nevertheless, I'm wondering if there is anything we can do on Malwarebytes end to get the block removed for

 http://focusmate.nyc3.digitaloceanspaces.com/?

Thanks,

Harry

Edited by AdvancedSetup
Disabled live hyperlink
Link to post
Share on other sites

  • Root Admin

No, we cannot and will not unblock this as multiple companies are blocking it including Mozilla Firefox

https://162.243.189.2/iamgeelovinhous/office.html

https://www.virustotal.com/gui/url/caea9c714a0c85dbbb7495008bbc1cf3aea765af1402931f38cf362227328da5

 

focusmate.nyc3.digitaloceanspaces.com

Why does it go there? That is not focusmate.com

Please ask the user to provide the actual log showing the block.

 

You can find Scan and Protection logs within the Malwarebytes 4 program in the following location

 

image.png

 

RTP stands for Real-Time Protection and is where automatic protection operations would normally be logged

 

image.png

 

If you click on the View option you should get something similar to the following with other options available.

 

image.png

 

 

 

 

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

  • Root Admin

So, your domain is one of about a hundred plus domains that are hosted on the same IP

image.png

Address lookup

canonical name server-99-86-7-16.fra6.r.cloudfront.net.
aliases  
addresses

99.86.7.16

There are three domains on the 162.243.189.2 IP

ianscomics.com
ihack.software
lucasbussey.com

 

So, again. I'm not sure why or how your domain is set up to use focus.nyc3.digitaloceanspaces.com and why I've asked to see the actual logs from the block.

 

 

Link to post
Share on other sites

@AdvancedSetup 

30 minutes ago, AdvancedSetup said:
focusmate.nyc3.digitaloceanspaces.com

Why does it go there? That is not focusmate.com

Once focusmate.com loads the page it initiates AJAX requests to `focusmate.nyc3.digitaloceanspaces.com`. Looks like they use it as a CDN for image hosting. Please see the attached network tab screenshot from their site.

30 minutes ago, Porthos said:

What I see from an observer's perspective is digitaloceanspaces.com is being blocked at the moment. Seems they have some issues to correct before the IP ban is lifted.

@Porthos gotcha I see. So it sounds like focusmate.com would need to either adjust their image hosting CDN at Digital Ocean to use different servers with different IP addresses or they would need to move off Digital Ocean entirely. Is all of Digital Ocean blocked by Malwarebytes or just the one IP address?

@AdvancedSetup is there anyway that my client who uses Malwarebytes can manually whitelist `focusmate.nyc3.digitaloceanspaces.com` as safe? Hypothetically if they wanted to?

Screen Shot 2022-05-12 at 3.33.36 PM.png

Link to post
Share on other sites

@AdvancedSetup ok thanks again for all your help. I'm asking for the log now.

While we wait on the log, I'll restate that focusmate.com is making AJAX requests from my client's browser once the page loads to `focusmate.nyc3.digitaloceanspaces.com`.

I believe it is these AJAX requests that are associating focusmate.com with 162.243.189.2 and therefore causing the phishing block in your system.

Link to post
Share on other sites

  • Root Admin

Yes, I believe you're right, but would need to scan, check the code further because nyc3 alone shows different websites that don't appear to be part of the CDN.

I just don't have time to actually dig in and do a full analysis of why, or how the link is going there. Basically though if you can get digitaloceanspaces.com to remove this content below then we will remove our block, and others probably would too.

 

https://162.243.189.2/iamgeelovinhous/office.html

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.