Website added to phishing database for unknown reason

Hi there!

I’ve recently noted that our website hXXps://www.packages24.com/ is in Avast’s phishing database and is blocked by Avast’s Chrome Extension. Obviously, we don’t do anything like that; we don’t do anything that may hurt our long-term business interest. On the contrary, we constantly develop the project to provide our customers with the best possible service.

Virustotal scan shows no threats at all: https://www.virustotal.com/gui/url/c1de563fb5a91194f7d398e6d00cc6795b72814f9f39caf458ba95f48f84507a

We’ve filed a false-positive report form here: https://www.avast.com/false-positive-file-form.php but there was no answer for 4 days for now.

What should we do? If this is a technical issue of some sort, we are willing to comply and rewrite/remove any code that triggers this reaction, or vice versa, add something that is missing. The issue is we don’t even know what to do exactly, because, once again, we’ve never intentionally done anything that may be considered as phishing. And if this is just random false-positive, how to get a reply from the support?

Please ‘modify’ your post change the URL from https to hXXps and or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

That said I get no Avast alert on connecting to packages24.com, so it looks like the detection has been removed.
Or call me suspicious (your suspicious) could this be site promotion, aka link spamming. Something that is taken seriously in the forums.

Thank you for your reply and sorry about the direct link, had no intention of promotion. Edited the start post.

May you please tell, do you only have the Avast itself installed, or Chrome Extension as well? I’m still getting blocked by the Chrome Extension.

Whenever I try to open the website, it shows a screen saying: “This website has been marked as a phishing site”.

I have Avast Antivirus installed - I don’t use Chrome nor the Avast Online Security browser (ASB) add-on. This isn’t the Avast Antivirus program, which is probably why I didn’t get an alert and why there hasn’t been a response by the Avast Labs (as it isn’t detected by avast).

This is more complex as only users of ASB add-on can vote on the sites that they visit and not directly controlled by Avast.

A screenshot of the screen might help or confirm what is doing the detection/warning.

Vulnerablities with jQuery:

bootstrap 3.3.7 Found in -https://www.packages24.com/assets/js/bootstrap.min.js _____Vulnerability info:
Medium 28236 XSS in data-template, data-content and data-title properties of tooltip/popover CVE-2019-8331
Medium 20184 XSS in data-target property of scrollspy CVE-2018-14041
Medium 20184 XSS in collapse data-parent attribute CVE-2018-14040
Medium 20184 XSS in data-container property of tooltip CVE-2018-14042
jquery 3.3.1.min Found in -https://www.packages24.com/assets/js/jquery-3.3.1.min.js _____Vulnerability info:
Medium CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution
Medium CVE-2020-11022 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
Medium CVE-2020-11023 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS

Site is crawlable and indexable by bots, not cloaking, no spammy links.

Detection may be because of tracking by -mc.yandex.ru
N.B.

Important Note: 77.88.21.119 is an IP address from within our whitelist. Whitelisted netblocks are typically owned by trusted entities, such as Google or Microsoft who may use them for search engine spiders. However, these same entities sometimes also provide cloud servers and mail services which are easily abused. Pay special attention when trusting or distrusting these IPs.

So wait for a final verdict from avast team, as they are the only ones to decide to unblock and give the actual status to that detection.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

Thank you for your replies.

Attaching a screenshot of what is happening.

Indeed, no cloaking or spamming is present on the website in any way.

Tracking by yandex.ru is just Yandex.Metrika - a well-known statistics service, analogous to Google Analytics (both are present at the website to collect the most precise data possible).

So there’s nothing that can be done except waiting for the reply for the request at the false-positive form? Does anyone know what is the average time of them replying? Because it’s been almost 5 full days now since the request has been submitted.

Nothing much I/we can do on the forum, only the guys from threat lab can unblock it.

Considering this is an Avast Online Security browser add-on, I’m not even sure that the Labs Team would do anything as it isn’t an Antivirus Alert ???

Hi Dave, they can reset the database for a site (if needed), but that won’t prevent future downvoting.

Thanks, I’m also thinking that it would take quite a lot of votes (over a period) for that state to be applied/recorded. I was also surprised why when the AOS add-on is flagging it why not the Antivirus. If it isn’t why then would the AOS add-on be allowed to flag it.

I used the AOS add-on when it first came out but have since stopped using it didn’t like the check-marks (graffiti), etc. all over the search results.

Just as a side note, you meanwhile can disable that in AOS settings.

Thank you all for your replies.

So this can be (and I’m starting to think it probably is) a result of just users of the Extension downvoting the website? Well, there is a huge opportunity to easily abuse it then.

Indeed, David, as you say, a small number of votes probably wouldn’t trigger it, but we all know how it’s done: just get some proxies and write a piece of code to automize it, and that’s it. And I know for sure, that there is some dirty competition going on in our niche, so this now looks to me like a very probable cause of this.

It’s impossible to prove it without access to any data, but if this is indeed the case, it’s very sad that Avast leaves this huge window for abuse wide open.

Meanwhile, tomorrow it will be exactly one week since the FP request, and there’s still no answer.

You’re welcome.

I know it is possible to bump totals using proxies, etc.

As I mentioned the reporting a possible false positive for a web site, in this case may not draw a response, as they would probably be looking at AV Alerts.

Although Asyn mentioned that the Labs team could zero the count for that, you would need to have made it clear that this relates to the Avast Online Security browser add-on (not to an Avast antivirus alert). So I would suggest you resubmit this making it clear it relates to the Avast Online Security browser add-on, as Avast antivirus doesn’t Alert. It might not hurt to give a link back to this topic.