sys-d
October 13, 2019, 4:32am
1
Hello,
I’m getting URL:Phishing detected by Web Shield for this URL:
https://sso.secureserver.net/?app=email&realm=pass
Immediately after Sign In, URL:Phishing detected by Web Shield with this URL in the log:
https://email17.godaddy.com/webmail.php
Have been using this site on regular basis, but this just started happening yesterday.
Can you please look into this?
thank you
polonus
October 13, 2019, 11:58am
2
Nothing here: https://www.virustotal.com/gui/url/b4058da8f17eda93970c7e0823024877e44c7ee0b827858eb2ef5f10789e4797/detection
google notranslate
google-site-verification t7JT1iH2iscenNr74R-kgXPljL_ru6OPiT9RE8zDk04
viewport width=device-width, initial-scale=1
Nothing on the Akamai end → https://www.virustotal.com/gui/ip-address/23.66.133.249/relations
But consider: https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=c3NdLnN7XnV9e3N7fXZ7fS5ue3RgPHxwcD17bXxbbCZ9e3xsbT1wfHNz~enc
Phishlabs detect the redirect: https://www.virustotal.com/gui/url/320c47eea87468b3ce912e60d67aa393a568af9bf15a95f5fa798bbaf8aba145/detection
Wait for an avast team member to give a final verdict on this detection or whether it is an FP.
Re: https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=e218W2wxNy5nXSN8IyN5Ll5dbWB3e2JtfFtsLnBocA%3D%3D~enc
It is with GoDaddy’s, contact them, zonemaster domain check alerts: DNSSEC
0 DNSSEC NOTICE There are neither DS nor DNSKEY records for the zone.
1 DNSSEC NOTICE The zone is not signed with DNSSEC.
SYNTAX - 1 ZONE NOTICE SOA ‘refresh’ value (300) is less than the recommended minimum (14400).
ONE NOTICE - 3 SOA ‘retry’ value (600) is less than the recommended minimum (3600).
Target (MX=godaddy-com.mail.protection.outlook.com ) found to deliver e-mail for the domain name.
See results: https://en.internet.nl/site/sso.secureserver.net/626511/ & https://en.internet.nl/site/email17.godaddy.com/626512/
Best policies not being implemented:
Your web server supports HTTP compression, which could be a security risk.
Verdict:
Your web server does not offer an HSTS policy.
Web server IP address HSTS policy
173.201.193.133 None @ -p3plgemwbe17-v05.prod.phx3.secureserver.net
polonus
sys-d
October 13, 2019, 3:31pm
3
thank you for looking into this polonus. all good info.
Wait for an avast team member to give a final verdict on this detection or whether it is an FP.
yes. will like to hear back from avast on FP status.
To troubleshoot/fix this from my side will be a challenge.
Let me know if I can provide any additional info or troubleshooting steps.
Pondus
October 13, 2019, 5:29pm
4
sys-d
October 13, 2019, 7:01pm
5
Report a false positive (select file or website)
https://www.avast.com/false-positive-file-form.php
I’d reported following URL couple of times in the last few days:
https://email17.godaddy.com/webmail.php
I went ahead and resubmitted it and submitted one for:
https://sso.secureserver.net/?app=email&realm=pass