False positive on legitimate site is blocking our customers from logging in

Our website’s login page (easycrypto.ai) is blocked by Avast Web Shield as “URL:Phishing”. This is incorrect. This is our website for customers to login through and is not a phishing site.

We have reported this via the Avast false positive form over 12 hours ago now however it is still blocked.

https://files.obvi.us/stephen/202104/avast-false-positive.png

VirusTotal reports perfect scores: nothing wrong here!
https://www.virustotal.com/gui/url/bd0aa6784b1eea572dd2252b4b4d48e5037f6fd5586a79904cff2d5ac3f90202/detection

urlscan io also reports perfect scores: nothing wrong here!
https://urlscan.io/result/846e83da-2cc5-4d11-a316-d1f80f6bad9b/

We have also gone further to confirm that there isn’t any MITM or redirection attacks happening against our customers.

Now we have taken to emailing customers a form letter explaining how to disable their use of Avast software and pinpointing Avast as the problem.

Needless to say, this is also a large financial loss for us to have our site unavailable for an entire day. This loss has been entirely caused by your incorrect classification of our login page. I will need a proper RCA for how this site came to be blocked.

Stephen

Hi Stephen, you should get a reply within 48 hours.

The “page not found” should be taken up with CloudFlare’s.
This is being blocked → -https://d3uvwl4wtkgzo1.cloudfront.net/e8af8301-45e2-41c6-9212-9421ce1b1dc7.js

polonus

The “page not found” should be taken up with CloudFlare’s.
This is being blocked → -https://d3uvwl4wtkgzo1.cloudfront.net/e8af8301-45e2-41c6-9212-9421ce1b1dc7.js

See insecure on same IP: -http://mypubid.com/ for instance.

Outdated JavaScript libraries detected. jquery 3.4.1 medium : Regex in its jQuery.htmlPrefilter sometimes may introduce XSS CVE-2020-11022 medium : Regex in its jQuery.htmlPrefilter sometimes may introduce XSS CVE-2020-11023

reported by retire.js
1 missing-content-security-policy
No Content Security Policy configured for this site.

source: DEVCON info.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

Hi Asyn, thanks for your reply.

From which URL do you see that included?

Hi Stephen EasyCrypto,

That is included on -https://easycrypto.ai/auth comes up with a Page not found
I’m sorry, the page you were looking for does not exist.

SRC report: HTML -easycrypto.ai/ 18,345 bytes, 255 nodes

Javascript 5 (external 5, inline 0)
-www.google-analytics.com/​analytics.js
48,759 bytes

-d3uvwl4wtkgzo1.cloudfront.net/​e8af8301-45e2-41c6-9212-9421ce1b1dc7.js
-easycrypto.ai/js/​chunk-vendors.9dd1f715.js
-easycrypto.ai/js/​app.0f4ad939.js
-static.cloudflareinsights.com/​beacon.min.js
CSS 5 (external 4, inline 1)
INLINE: @font-face{font-family:‘Axiforma-Black’;src:url(/assets/webfonts/Axiforma-Black/
808 bytes INJECTED

-easycrypto.ai/assets/css/​ec-2.10.css
INJECTED

-easycrypto.ai/assets/fontawesome/css/​all.min.css
INJECTED

-easycrypto.ai/css/​chunk-vendors.6c0b1195.css
INJECTED

-easycrypto.ai/css/​app.ab40635f.css
INJECTED

We are still waiting for a final verdict from an avast team member for these apparent FP PHISHING findings
on various CloudFlare driven websites. Yours is one of them.
I PM-ed avast threat lab, but probably they will not reply earlier than over the week-end,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)