withsecurify.com

[hagezi]

Which AdBlocker/DNS cloud service do you use?

AdGuard DNS

Other

No response

ControlD users

• [ ] IMPORTANT - I assure that I have not set the Block Response in ControlD to Custom or Branded and can confirm that the problem still occurs.

NextDNS users

• [ ] IMPORTANT - I can assure that I disabled the block page in NextDNS and can confirm that the problem still occurs.

With which block list(s) does the problem occur?

Threat Intelligence Feeds

Which domain(s) should be unblocked?

withsecurify.com

Why should the domain(s) be unblocked?

Via Mail from info at mysecurify.com:

In the past few days, we’ve been receiving numerous complaints from our users that their extensions aren’t working properly.

We’re contacting you as it has been caused by the recent classification of our domain as "malware, adware, and PUPs" on the uBlock Origin lists.

Specifically these two pull requests listing “withsecurify.com”:

https://github.com/hagezi/dns-blocklists/issues/3073 https://github.com/uBlockOrigin/uAssets/issues/24390

“withsecurify.com” is one of our production domains and is not used for ads, PUP, malware, or adware. It’s used by our extensions, mainly for API and search endpoints.

Blocking this domain breaks the user's basic browser experience and some cannot even use the Chrome omnibox properly.

Examples of broken endpoints:

“https://search.withsecurify.com/?dwfy&yh&swmi&q=Hello%20World” (all it does is redirect to the user's favorite search engine)
“https://ext.withsecurify.com/api/ext/suggest?swmi&q=hello” (our search suggestion endpoint that provides users with suggested search keywords)

In light of the above, we kindly request an urgent review of our domain’s classification on the uBlock Origin badware list. We’ll be happy to provide any additional information or clarification needed to facilitate this review.

ping @JobcenterTycoon @shadowwhisperer

Privacy

• [X] I agree to follow this condition

[hagezi]

Secure DNS:
 - 360Secure       OK
 - AliDNS          OK
 - CFIEC           OK
 - CleanBrowsing   OK
 - Cloudflare      OK
 - ComodoSecure    OK
 - CONTROLD.TIF    BLOCKED
 - DNS0.eu         OK
 - DNS0.eu.ZERO    OK
 - DNSWatchGO      OK
 - HaGeZi.TIF      BLOCKED
 - Neustar         OK
 - NextDNS.TIF_AI  OK
 - NortonCS        OK
 - NRD.DGA.IDN     OK
 - Quad9           OK
 - SafeDNS         OK
 - UltraDNS        OK
 - Umbrella        OK
 - YandexSafe      OK

Intels:
 - Google          https://transparencyreport.google.com/safe-browsing/search?url=withsecurify.com
 - VirusTotal      https://www.virustotal.com/en/domain/withsecurify.com/information/
 - AlienVault      https://otx.alienvault.com/indicator/domain/withsecurify.com
 - Bitdefender     https://trafficlight.bitdefender.com/info/?url=https%3A%2F%2Fwithsecurify.com
 - FortiGuard      https://www.fortiguard.com/webfilter?q=withsecurify.com&type=&engine=1
 - Kaspersky       https://opentip.kaspersky.com/withsecurify.com?tab=web
 - McAfee          https://siteadvisor.com/sitereport.html?url=withsecurify.com
 - Norton          https://safeweb.norton.com/report/show?url=withsecurify.com
 - OpenDNS         https://domain.opendns.com/withsecurify.com
 - URLVoid         https://www.urlvoid.com/scan/withsecurify.com/
 - Yandex          https://yandex.com/safety/?l10n=en&url=withsecurify.com
 - ThreatMiner     https://www.threatminer.org/domain.php?q=withsecurify.com

[ShadowWhisperer]

It's a search engine hijacker. Reviews on the site are fake. Claims to add security without proof.

Domains seen, back when I added it.

ext.withsecurify.com
search5.withsecurify.com
search.withsecurify.com

Real reviews: https://chromewebstore.google.com/detail/securify-your-browser/eobcealmgdjeoheieiobkedbgddicaba/reviews

Additional

https://www.hybrid-analysis.com/sample/d57bcb554037fc17b59f58deb7645b584a7cfb71dad58e87ccd8a27689a972fd?environmentId=100

https://malwaretips.com/blogs/remove-securify-search/

https://www.2-spyware.com/remove-search-mysecurify-com.html

[hagezi]

Thanks Sean @ShadowWhisperer

[iam-py-test]

Blocklisted, thanks. I guess the Streisand effect is real.

[JobcenterTycoon]

Re added to badware.

withsecurify.com
securifyguard.com
getsecurify.com

[hagezi]

@JobcenterTycoon @ShadowWhisperer @iam-py-test

Answer from info at mysecurify.com:

Hello again,

Thank you for your prompt response to our appeal. We want to clarify some misunderstandings and provide additional context regarding the points mentioned.

To kick this off we’d like to focus on the fact that blocking our endpoints will result in product breakdown and will cause an inability to use browser features. This causes major confusion for our users because it's like blocking their NewTab page.

As an official Chrome Store extension, we rigorously follow all Google policies and guidelines for extension development and distribution. Our extension does not hijack anything, the search engine is changed using the official Chrome API and users must specifically accept this change when prompted several times during the installation process.

We strongly deny the allegation of fake reviews. We have never engaged in any practices to generate fake reviews. The reviews on the Chrome Web Store are from genuine users. We continuously monitor and respond to user feedback to improve our extension.

Regarding the additional links provided. There are always false positives with AVs and other security software. We continually contact such services and ask them for a re-review, as you can see from VirusTotal, our status is clean.

Some of the articles mentioned there are peddling security software and posting blatant lies. You can even see content on the pages that isn’t even related to our products (see screenshots of other products for example) - it’s a standard template they use to earn money through affiliate marketing.

We understand the importance of maintaining a secure browsing environment for users. We are committed to transparency and cooperation. We request you review the domains mentioned and see there are no malware or security risks on there, nor have there ever been.

We look forward to resolving this matter promptly.

Best regards, Team Securify

[iam-py-test]

The Apple discussions thread in https://github.com/hagezi/dns-blocklists/issues/3163#issuecomment-2229056638 is not "peddling security software and posting blatant lies". In my opinion, nothing they say disproves the allegations against their company. I also can speak from experience as to the maliciousness of this software: https://github.com/iam-py-test/my_filters_001/blob/f71199a6192747467f3020d1dfa4f1a802bf4280/antimalware.txt#L14451 (I guess past me was corrupt and lied)

[hagezi]

Yes. it's a search engine hijacker.

I have asked them to continue the discussion here and not by e-mail, so that everyone can read along and react.

Currently blocked by:

Blocklists:
 - 1Hosts.Lite     OK
 - 1Hosts.Mini     OK
 - 1Hosts.Pro      BLOCKED
 - AdGuardDNS      OK
 - CONTROLD.AT     BLOCKED
 - DevDansHosts    OK
 - EasyList        OK
 - GoodbyeAds      OK
 - HaGeZi.LIGHT    BLOCKED
 - HaGeZi.NORMAL   BLOCKED
 - HaGeZi.PRO      BLOCKED
 - HaGeZi.PRO.PLUS BLOCKED
 - HaGeZi.TIF      BLOCKED
 - HaGeZi.ULTIMATE BLOCKED
 - hBlock          BLOCKED
 - NextDNS.AT      OK
 - OISD.Big        BLOCKED
 - OISD.Small      OK
 - QuidsUp.NOTRACK OK
 - StevenBlack     OK

Top 1M/10M lists:

Top 1M:
 - Umbrella:       YES
 - Cloudflare:     YES
 - Tranco:         YES
 - Majestic:       NO
 - BuiltWith:      NO
 - Chrome:         NO

Top 10M:
 - DOMCOP:         NO

ping @bongochong @sjhgvr to join the conversation, also blocked in your list.

[sjhgvr]

Reason for being in oisd; found in; https://filters.adavoid.org/ultimate-security-filter.txt Personally I don't have anything valuable to add to this subject.

[JobcenterTycoon]

https://filters.adavoid.org/ultimate-security-filter.txt is just the uBO badware list?

[sjhgvr]

https://filters.adavoid.org/ultimate-security-filter.txt is just the uBO badware list?

https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/badware.txt

[bongochong]

@hagezi Thank you for pinging me. This will make for a fun read when I'm decompressing from the day later on.

@JobcenterTycoon @sjhgvr I have been pulling in entries from both of the aforementioned lists for a long time, which make their way into different compiled lists I maintain. I never thought to compare the two before, but after stripping away some ABP syntax, followed by a quick sort & diff, it appears that Ultimate Security contains the bulk of uBO's Badware list. There are currently 3219 identical filters between them, with the only difference for those entries being uBO's use of abbreviated aliases, whereas Ultimate Security uses standard static filter syntax (e.g. $doc vs. $document).

This is all likely due to AdBlocker Ultimate lists being substantially derived from default lists offered by AdGuard and EasyList, many of which seem to incorporate much of uBO's Badware list as well. The ad-blocking scene is so huge and interconnected now, that sometimes I think it would be better if we all pooled our time and resources together to perfect and expand a single project, but hey, at least it's fun :wink:

[ShadowWhisperer]

I'm curious where the "reviews" come from. Don't see any of these on Google's side.

[JobcenterTycoon]

"from our users" 🤡

The ad-blocking scene is so huge and interconnected now, that sometimes I think it would be better if we all pooled our time and resources together to perfect and expand a single project, but hey, at least it's fun

At least its harder for ad companies to monitor many ad blockers instead of one because the behavior may be different even if the same filter are used. Same for security vendors, its harder to monitor 100 different one instead of 1. But for simple open source domain blocking it would be the best to combine the power.

[hagezi]

I think we are all in agreement here. Closing ....