Author Topic: False positive site  (Read 361 times)

Offline lto

  • Newbie
  • *
  • Posts: 4
False positive site
« on: January 28, 2019, 07:02:32 PM »
Hello!
This site https://livetrader.online (and http://livetrader.online) is not phishing.
Please remove it from phishing list.

Thank you!

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 556
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
« Last Edit: January 28, 2019, 09:55:25 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline lto

  • Newbie
  • *
  • Posts: 4
Re: False positive site
« Reply #2 on: January 28, 2019, 11:00:10 PM »
I think it’s time to change the stupid phishing rating system.
8 fake-idiots SPECIALLY added the site to the phishtank to discredit it. And after that, all the "anti-virus" sites began to take information from there and distribute it everywhere.
The administrators of the phishtank do not even move to check the information.
Thus, more than 100 completely legal sites have suffered and you are only aggravating the situation.

UPD:
Where did this come from:
Quote
The site contacts a malicious IP associated with a bot network !!! >>> "181.143.99.26"( TROJAN W32/Emotet CnC Checkin ) >>> https://www.virustotal.com/#/ip-address/181.143.99.26 >>> https://www.virustotal.com/#/url/4e72a6ba3ca45ea845593c86238ac69f4e3c9f0b18d9c52beb044e141f1c1bbf/detection

The site works through CDN Cloudfare and has a absolutly different IP (both cloudfare and original).
I see you are not too puzzled by check the information. This is very bad and wrong.
« Last Edit: January 29, 2019, 01:30:34 AM by lto »

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 556
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: False positive site
« Reply #3 on: January 29, 2019, 02:15:21 AM »
Hey again,

1. I assume that you are one of the owners of this ominous site?!
2. I have not been confused at any moment in the analysis! I check all the information I post here!
3. It would not be the first phishing site "hidden" behind Cloudflare! In addition, that has absolutely nothing to do with which other IP's the site otherwise builds connections.
4. I have noticed that in the meantime between your posts here, changes have been made to the behavior of the website. Strangely enough, the site suddenly stops communicating with the IP I mentioned.
5. This fact makes you as a person and this website even more suspect!

I will therefore continue to carefully review this website in the future !!!

Have a nice day !!!

Best Regards!
Pio
« Last Edit: January 29, 2019, 02:32:22 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline lto

  • Newbie
  • *
  • Posts: 4
Re: False positive site
« Reply #4 on: January 29, 2019, 04:11:15 AM »
Hi again.
I repeat once again - the site has been working for more than a year and NEVER changed its IP. Perhaps cloudfare changes the IP of its servers in Europe, but I did not notice.
I am ready to provide ANY evidence of the purity of the site, including the audit.

And now, just in case, I will explain how it works.
1. Take 10 fake mail account (crazzyhackerno1[at]email.com, russianhackr007[at]mail.com, donaldtrumpforewer[at]... etc...)
2. Go to the phishtank.com.
3. Add any site that is not listed there yet.
4. Vote "this is PHISH!" with 6-10  accounts.
5. DONE! No checks, no contact to site administrator, noooo-thi-ng! Site added to phishing list.

What happens next?

After 6-12 hours Avast pulls data from the phishtank base. Checks? No, this is not for us! We will show that this is phishing!
After 24 hours quttera, bit defender, clean mx and more get data ALSO from phishtank database ... Any checking info? What for? We will also show that this is phishing!
Well, virustotal collects all this crap and shows us.

Cool, right?

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 556
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: False positive site
« Reply #5 on: February 07, 2019, 10:44:27 PM »
Hi,

I have been quite busy lately, so I can only now respond to your answer.

1. It would be really good if you didn't show how everything could theoretically have happened, but you also post the corresponding sources.
2. Although the site doesn't do justice to the conventional or technical definition of "phishing," one or more users may complain about the misuse of their data. For this case, Scamming would probably be the appropriate name for such a behaviour.
3. Currently, the named site is classified by 6 different companies as a phishing site or as a malicious site.
4. The conspicuous suspicious connection to a harmful IP was not discussed by you at all.
5. Furthermore, it was very suspicious that after naming this connection, the behavior of the website has suddenly changed.

Based on my scan results with Cuckoo Sandbox, i would like to follow the definition "Malicious". Whether on this page is also an abusive use of user data, I can not make reliable statements. See the pics attached!!!

Best Regards!
pio
« Last Edit: February 07, 2019, 11:53:25 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline lto

  • Newbie
  • *
  • Posts: 4
Re: False positive site
« Reply #6 on: February 08, 2019, 12:47:16 AM »
OMG
OK

1. What sources do you need? Add comodo.com to phishing site? OK, let's do it.

2. Read above. I have already said that I am ready for any checks.
3. My site on the PhishTank has not been for a week. You can go in and make sure. But virustotal still shows that it is there. The rest do the same.
4-5. Dude, I have no idea what kind of crap you use to detecting the IP addresses, but I repeat once again - for all work time, the site has NEVER changed your real IP. NEVER.
If you present proofs in the form of POST / GET requests, it will be immediately clear where the problems are growing from.
« Last Edit: February 08, 2019, 12:52:21 AM by lto »

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek