Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False Positive | oboa.on.ca #1020

Closed
jtjstock opened this issue Jan 14, 2025 · 6 comments · Fixed by Phishing-Database/phishing#666
Closed

False Positive | oboa.on.ca #1020

jtjstock opened this issue Jan 14, 2025 · 6 comments · Fixed by Phishing-Database/phishing#666
Assignees
@mitchellkrogza @funilrys @spirillen @g0d33p3rsec
Labels
WIP

Comments

@jtjstock
Copy link

What are the subjects of the false-positive (domains, URLs, or IPs)?

  • oboa.on.ca

Why do you believe this is a false-positive?

I believe this is a false-positive because...
This is a Wix website, it doesn't host malware, you have added data from another source who incorrectly flagged this site.

How did you discover this false-positive(s)?

VirusTotal

Where did you find this false-positive if not listed above?

I discovered this false-positive by...

Have you requested a review from other sources?

I have requested a review from...
We have requested a review from ESET.

Do you have a screenshot?

Screenshot

Additional Information or Context

I have also noticed that...
@phishing-database-bot
Copy link
Member

Verification Required

@jtjstock, thank you for submitting a false positive report! To help us verify your ownership of the affected domain(s), please complete the following steps:

  1. Set a DNS TXT record for the domain(s) listed in this issue with the following details:

    • Record Name: _phishingdb
    • Record Value: antiphish-5fa3ff9769e766b728fe042710849b2cbfe0fe9b

    Your Verification ID: antiphish-5fa3ff9769e766b728fe042710849b2cbfe0fe9b

  2. Wait for DNS propagation (this may take a few minutes to a few hours).

  3. Reply to this issue once the TXT record has been set.

Important Notes

  • Verification does not guarantee whitelisting. The Phishing.Database team will review your report after verifying ownership, but the decision to whitelist depends on further investigation and analysis.
  • If the record cannot be set or you need alternative methods of verification, please contact us at [email protected] - preferably from the domain's official email address.

How to Check the TXT Record ?

You can verify that the TXT record is properly set using:

Thank you for your cooperation! We will address your issue as soon as possible after verification.

The Phishing.Database Project Team.

@jtjstock
Copy link
Author

TXT record has been created and validated with mxtoolbox

@g0d33p3rsec
Copy link

confirmed

 dig TXT _phishingdb.oboa.on.ca

; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> TXT _phishingdb.oboa.on.ca
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52945
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_phishingdb.oboa.on.ca.                IN      TXT

;; ANSWER SECTION:
_phishingdb.oboa.on.ca. 300     IN      TXT     "antiphish-5fa3ff9769e766b728fe042710849b2cbfe0fe9b"

;; Query time: 89 msec
;; SERVER: 10.255.255.254#53(10.255.255.254) (UDP)
;; WHEN: Tue Jan 14 14:39:04 EST 2025
;; MSG SIZE  rcvd: 114

@spirillen
Copy link
Contributor

TXT record confirmed

dig TXT _phishingdb.oboa.on.ca

; <<>> DiG 9.18.30-0ubuntu0.24.04.1-Ubuntu <<>> +nocookie TXT _phishingdb.oboa.on.ca
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9030
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_phishingdb.oboa.on.ca.                IN      TXT

;; ANSWER SECTION:
_phishingdb.oboa.on.ca. 300     IN      TXT     "antiphish-5fa3ff9769e766b728fe042710849b2cbfe0fe9b"

Next, the analyzes of the domain

@spirillen
Copy link
Contributor

spirillen commented Jan 14, 2025
edited
Loading 

time sd oboa.on.ca
http://oboa.on.ca/wp-includes/js/codemirror/--/resgate/semprepresente/home/conf-ita.php
http://oboa.on.ca/wp-includes/js/codemirror/--/resgate/semprepresente/home/enter.php

real    0m0,952s
user    0m0,080s
sys     0m0,008s

These records are between 1 and 5 years old

Screenshots

image

image

image

I vote for releasing this domain

@g0d33p3rsec
Copy link

This is a Wix website, it doesn't host malware, you have added data from another source who incorrectly flagged this site.

Next, the analyzes of the domain

working on that now.
http://oboa.on.ca/wp-includes/js/codemirror/--/resgate/semprepresente/home/conf-ita.php
was hosting a lure targeting Banco Itau in 2020 https://urlscan.io/result/6150703f-046c-4931-bcb2-46899840e21f/

Screenshot, click to expand.

6150703f-046c-4931-bcb2-46899840e21f

by 2023, that URI was being blocked by the WAF https://urlscan.io/result/72f09078-9a0b-449a-9eb5-dc934856006d/

Screenshot, click to expand.

72f09078-9a0b-449a-9eb5-dc934856006d

it now 404s

Screenshot, click to expand.

image

I vote for releasing this domain

I concur. Do you want to take care of it? I'm running down some unrelated leads.

@g0d33p3rsec g0d33p3rsec mentioned this issue Jan 14, 2025
Merged
@github-project-automation github-project-automation bot moved this from 🆕 New to ✅ Done in Phishing Database Backlog Jan 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mitchellkrogza mitchellkrogza

@funilrys funilrys

@spirillen spirillen

@g0d33p3rsec g0d33p3rsec

Labels
WIP
Projects
Phishing Database Backlog
Status: ✅ Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

add oboa.on.ca to falsepositive list g0d33p3rsec/phishing
6 participants
@mitchellkrogza @funilrys @jtjstock @spirillen @g0d33p3rsec @phishing-database-bot