Sponsored by..

Showing posts with label Phishtank. Show all posts
Showing posts with label Phishtank. Show all posts

Monday 24 June 2013

www.public-trust.com false positive at Phishtank

public-trust.com houses Certificate Revocation Lists (CRLs) and is controlled by Verizon. It probably houses other certificate infrastructure too, but at the moment several web filtering systems are detecting it as a phishing site due to a false positive at Phishtank.

Some example URLs (which are perfectly safe) include:
http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl
http://cdp1.public-trust.com/CRL/Omniroot2025.crl

The problem with the website at www.public-trust.com is that it forwards to www.verizonenterprise.com (a perfectly legitimate Verizon site), but this does make it look a bit like a phishing site. This is the false positive at Phishtank.

At least one person seems to have spotted that it wasn't a phish, but it's quite an easy mistake to make because the screenshot of a Verizon site combined with the very non-obvious domain name makes it look extremely phishy.

For the records, these are the WHOIS registrant details:

Verizon Business Global LLC
Verizon Business Global LLC
One Verizon Way
Basking Ridge NJ 07920
US
domainlegalcontact@verizon.com +1.7033513164 Fax: +1.7033513669

The domain was created in 2002 (most phishing sites don't even last a few weeks) and is hosted on 64.18.30.10 (Verizon Business Global, LLC). At the moment the false positive is in Phishtank, AVGThreatLabs, SURBL and MyWOT blacklists plus anything downstream that uses that data.

Tuesday 26 July 2011

Phishtank FAIL: paypal.de

paypal.de is pretty obviously a legitimate PayPal domain, registered to eBay and hosted on 66.211.168.83 in eBay's address space. However, Phishtank thinks that it is a phish.. well, OK, false positives happen.. but the problem here is that it has been manually verified as a phish which really does show a weakness in the Phishtank verification system. It's not the first time it has happened.



So, if you are in Germany and find that paypal.de is blocked, then this is the reason why.

Monday 14 June 2010

Phishtank FAIL: hsbcnet.com / hsbc.net

hsbcnet.com is a valid and legitimate website belonging to HSBC. Traffic is redirected to this site from hsbc.net. The site itself is hosted on AS26381 63.111.163.110 which is delegated to an HSBC subsiduary called Household International from Verizon. The hsbcnet.com  was registered in 1998 to a registrant with an hsbc.com web address:

Registrant:
HSBC
   One HSBC Center
   Floor 21 - HTS eBusiness
   Buffalo, NY 14203
   US

   Domain Name: HSBCNET.COM

   Administrative Contact, Technical Contact:
      Fischer, Chuck  charles.fischer -at- us.hsbc.com
      HSBC Bank USA
      One HSBC Bank
      eBusiness, 21st Floor
      Buffalo,, NY 14203
      US
      (716) 841-2075 fax: (716) 841-5022


   Record expires on 04-Dec-2010.
   Record created on 04-Dec-1998.
   Database last updated on 14-Jun-2010 04:41:11 EDT.

   Domain servers in listed order:

   NS3.HSBC.COM                
   NS4.HSBC.COM       
         

It's clearly not a phishing site, and yet Phishtank say that it is.


Now, Phishtank does just allow any old user to mark a site as phishing. In this case, the site was submitted by a user called dvk01  and then verified by SEVEN other people as a phish - stuartgrant knack NotBuyingIt cybercrime marcoadfox Aminof theGeezer - although some people have said that it isn't. As a result of this faulty groupthink, 71% of reports say that this legitimate site is a phish.

This false positive has now filtered down to OpenDNS and a number of other blocking services (e.g. Sophos) that are now erroneously blocking access to HSBC.

Don't get me wrong, Phishtank and other similar service can be very useful. But in this case it shows that Phishtank's verification process really doesn't work.. as any actual examination of the web site in question would surely identify is as legitimate.