URL:Phishing on ocsps.ssl.com

hi
I’ve just had an alert involving certificate authorities oscps.ssl, but I don’t know what site I was visiting that triggered the alert.
It seems strange to me, what should I think?
On the other hand, while searching on the net, I came across a similar subject with an alert at about the same time as my alert, but with AVG (same engine as avast).
It’s in Turkish, so I’m not sure of my translation.
Here’s the link:
hxxps://www.technopat.net/sosyal/konu/avg-phishing-uyarisi-veriyor.3432586/

Could it be a false positive following the latest VPS update “240919-8”?

Yes OCSPs dot com has been identified/reported as a site with phishing activity as an abuse. Do not click suspicious mail links and do not share PII (personal identifiable information) with -ocsps dot com.

polonus

Thank you,

do you have a link to this report as phishing?

The only information I have is that this alert occurred mid-September for several avast/AVG users and was probably a false positive.
From: Reddit
By the way, no one has had this alert since, and nothing from me.

[quote=“chris…, post:1, topic:848117”]
/wXw.technopat.net/sosyal/konu/avg-phishing-uyarisi-veriyor.3432586/
[/quote] Well, the general IP here, 172.67.5.248, is a Cloudflare whitelisted IP address, but that does not mean there could not be abuse on it. So be cautious,

polonus

you already made the mistake here a month ago when you gave me information about the “technopat” site, even though the alert had nothing to do with this site but with “ocsps.ssl”, which is not browsable by the way, it’s just a certificate check native to windows by the svhosts process.
“Technopat” is just the site where an identical alert was reported…There were several others in the days that followed (see my link to reddit).

The fact that you are repeating the error is certainly due to the fact that our exchanges (in which you acknowledged the error) have been deleted.
They were deleted because they fell within the timing of the transition from the old to the new forum, and we had been warned that all messages posted at the end of September would not be included.

Hi chris,

So that thread fell between Scylla and Charybdis of the forum-transition. Was it a certification-related PHISHing problem? How did you evaluate the problem at hand? Could you find something through VT? Because of the methodology that Avast and AVG share under certain circumstances, these general detections are rather false-positive-prone.

polonus

The way it happened for me and for others:

  • not visiting the same sites

  • an alert not related to certificates but rather related to the module/link built into windows that checks all the certificates of the sites you visit.

  • an alert for a dozen AVG/Avast users in the space of a day … and nothing since.

… leaves little doubt that this was a false positive, certainly resolved with one of the subsequent VPS updates.

What’s more, this OCSP request may not be enabled on the browser (at least in the case of firefox), so perhaps only those with it enabled received the alert.
OSCP
traduc:Ask the OSCP responder to confirm the validity of your certificates.

VT does not alert this. The site is hosted on CloudFlare, so probably also been whitelisted.

But consider the site issue on that site mentioned here: https://sitecheck.sucuri.net/results/https/static.cloudflareinsights.com/beacon.min.js/vcd15cbe7772f49c399c6a5babf22c1241717689176015

Our automated scan found an issue on some pages of your website. There is always a possibility of a hack.
So we can state it could be qualified as "suspicious.

Consider this from the VT community: e.g. Joe Sandbox Analysis:

Verdict: SUS
Score: 23/100
Domain: -static.cloudflareinsights.com
Host: 104.16.79.73 (for abuse there, see: https://www.abuseipdb.com/check/104.16.79.73).

HTML Report: https://www.joesandbox.com/analysis/1485878/0/html
PDF Report: https://www.joesandbox.com/analysis/1485878/0/pdf
Executive Report: https://www.joesandbox.com/analysis/1485878/0/executive
Incident Report: https://www.joesandbox.com/analysis/1485878/0/irxml
IOCs: https://www.joesandbox.com/analysis/1485878?idtype=analysisid

polonus (volunteer 3rd-party cold reconnaissance website-security analyst and website error-hunter)

I think you’ve misunderstood my explanation.
The alert was not made on the technopat site but on the site linked to the certificates: ocsps.ssl . com, (although I was sure I had attached a screenshot :-[, I’ll give it again.
https://www.abuseipdb.com/check/100.24.223.135

Regards to technopat site, that’s where I saw that the person who posted there had had the same alert as me and at the same time as me.
Except that the alert occurred with AVG, which has the same engine as avast.

ps:Of course ocsps.ssl can’t be tested because it’s not really a browsable site but obviously a certificate verification step, that’s what I find strange.

Hi chris…

Good you alerted me to my misinterpretation. What could you do?

  1. Check certs. 2. When there is a flaw with OCSPS, this could trigger an avast-false-positive.
  2. Compare with other alerts. 4. Check your security settings. 5. Seek more information from Avast.

pol