AOS missed the banking threat

BeSecure · 2015-10-17T03:26:16.000Z

hxxps://zonasegura1.bn.com.pe/BNWeb/Inicio

https://www.virustotal.com/en/url/81258255f54af10c54e09c260389419987c9a0915479a7dce3874d932f87cb84/analysis/1445051899/

hxxp://capitalf-bnk.co.uk/
https://www.virustotal.com/en/url/b77cb282c6655ae6d89e5e5124bef50dc3133e1e17a3cdec7f8cc99bd74a4c17/analysis/1445077252/

hxxp://www.abnehmen-wundermittel.com/
https://www.virustotal.com/en/url/a9d41be7f5cff0129e20894273c9fcf9bc6f6113c0553cabf39469a73715737a/analysis/1445077526/

polonus · 2015-10-17T11:14:56.000Z

Hi Be Secure,

If this has to do with banking and banking threat, the first and second address will have to go here: https://forum.avast.com/index.php?topic=83592.0 as Avast Team Member, Vlk, particularly asked users to list their online banking sites in that thread to better protect against such threats.

The first PHISH you mention has been a threat for over a year and is being flagged by Google safebrowsing (so users of Google Chrome and firefox are already protected if they aren’t that stupid to click through), Bitdefender TrafficLight, PhishTank and others flag.

The second live threat has been reported on VirusWatch MX → http://support.clean-mx.com/clean-mx/phishing.php?domain=capitalf-bnk.co.uk&sort=id%20DESC (is alive and PHISHing!). Should be reported also to WOT, and I have just done so under my alter ego, luntrus.

The other one is a PHISH allright, but not related to a banking site → http://support.clean-mx.com/clean-mx/phishing.php?domain=abnehmen-wundermittel.com&sort=id%20DESC The query there is n 52.28.153.73 a notorious IP in that respect, see: http://permalink.gmane.org/gmane.comp.security.phishings/68186 The one you mentioned is blocked for me by Bitdefender TrafficLight in the Google Chrome browser.

polonus

polonus · 2015-10-17T11:46:10.000Z

Now some of those given by GMane are not flagged by AOS and others as well, for instance -polypouch.co.uk (not banking related!).
The Netcraft Website Riskstatus (9 red out of 10) is quite clear: http://toolbar.netcraft.com/site_report?url=http://209.61.231.58 This site is PHISHINg via leadforensics dot com → http://www.domxssscanner.com/scan?url=http%3A%2F%2Fpolypouch.co.uk See bad web rep: https://www.mywot.com/en/scorecard/leadforensics.com?utm_source=addon&utm_content=rw-viewsc MyWot.com Reputation Ratings 26
Alive and now one hour old, so you see such abuse can be short-termed or 209.61.231.58
Tracking info goes insecure to At least 8 third parties know you are on this webpage.

-www.google.com
-www.google-analytics.com Google
-www.saas-eue-1.com redirecting to -leadforensics.com
-www.polypouch.co.uk
-polypouch.co.uk
-x.translateth.is (translating button) info via Tracker SSL extension in Google Chrome.

polonus (volunteer website security analyst and website error-hunter)

jeffersonsant · 2015-10-22T10:49:16.000Z

Hello.

https://zonasegura1.bn.com.pe/BNWeb/Inicio It will not be blocked

Virus lab has now classified these websites.

https://zonasegura1.bn.com.pe/BNWeb/Inicio
appears to be on the bn.com.pe domain, so they believe this website to be correct.

capitalf-bnk.co.uk/ has now been blocked

abnehmen-wundermittel.com/ has now been blocked

Announcements