search

mitchellkrogza / Phishing.Database

Phishing Domains, urls websites and threats database. We use the PyFunceble testing tool to validate the status of all known Phishing domains and provide stats to reveal how many unique domains used for Phishing are still active.
MIT License
1.12k stars 256 forks source link

[FALSE-POSITIVE] #797

Closed ClaritysoftSupp closed 8 months ago

ClaritysoftSupp commented 8 months ago

Domains or links https://claritycrm.com claritycrm.com

More Information How did you discover your web site or domain was listed here?

  1. Website was hacked - We worked with our server host and website developers to resolve the issue.
  2. We were listed on virustotal.com. Our listings are beginning to reduce now that the issue has resolved.

Have you requested removal from other sources? We were listed and have since been delisted by cluster25 as of this morning. We are currently still listed by seclookup and are awaiting delist.

Additional context We had an issue with malware that has since been resolved. Measures have been put in place to prevent issues moving forward.

:exclamation:

We understand being listed on a Phishing Database like this can be frustrating and embarrassing for many web site owners. The first step is to remain calm. The second step is to rest assured one of our maintainers will address your issue as soon as possible. Please make sure you have provided as much information as possible to help speed up the process.

Send a Pull Request for faster removal Users who understand github and creating Pull Requests can assist us with faster removals by sending a PR to mitchellkrogza/phishing repository, on the falsepositive.list file

https://github.com/mitchellkrogza/phishing/blob/main/falsepositive.list Please include the same above information to help speed up the whitelisting process.

ClaritysoftSupp commented 8 months ago

Hi,

Looking for a response to my submission above. We have users who are unable to access our website.

As of 17 minutes ago, claritycrm.com is still being listed by Phishing Database on virustotal.com.

Please let me know if there is anything that can be done to expedite the delisting process.

Thank you

ClaritysoftSupp commented 8 months ago

Hi,

We have not received a response for this open issue. Additionally, we have submitted a pull request for claritycrm.com.

Our customers are currently experiencing issues access their data due to this listing.

Please let me know if there is any way to expedite this process.

Thank you

spirillen commented 8 months ago

Hi @ClaritysoftSupp

We have not received a response for this open issue

Nope, as I'm looking into it on a volunteer level, I do my best to keep up with various things, so please be patience.

As mentioned in the issue template

We understand it can be frustrating to be marked as potential infected

This is also why the Google infected VirusTotal never marks any domains higher than Potential with any records from this project.

And here is something just as frustrating for as it then is to you; I do not have access to the scanning logs, which leaves me very blind for what I looking for on your domain(s), which leads to a lot of searching for me, to see if I should give your information any trust, or you are "just saying" a lot of buzz words.

This is giving the whitelist job a lower prio, as I in general spends over an hour on each of these reports... for free... so please don't hesitate to hit @spirillen's sponsor button as well as this project.

@ClaritysoftSupp I'll dig into this issue now, so any clues you can share to help, is appreciated.

For the security perspective, you can hit me up on https://matrix.to/#/@spirillen:matrix.org

You're invited to talk on Matrix
You're invited to talk on Matrix
spirillen commented 8 months ago

Spyware found on claritycrm.com

Prohibited access to help solve this issue by GoDaddy's censorship and anti Privacy rules

image

Can't solve this issue without anonymous access to the crm in question

ClaritysoftSupp commented 8 months ago

Thanks for your reply. Please go through each below-mentioned points based on your reply.

1

Looks like it's a miscommunication, we want claritycrm.comhttp://claritycrm.com/ to be white-listed from the phishing database and not claritysoft.comhttp://claritysoft.com/ (which you mentioned in the last reply mail from your side) claritycrm.comhttp://claritycrm.com/ is marked by Phisi. database. We want this domain to be cleaned from your side.

note: claritysoft.comhttp://claritysoft.com/ domain is out of topic and it has no relation with claritycrm.comhttp://claritycrm.com/. claritysoft.comhttp://claritysoft.com/ is our corporate website.

2

Moreover, the two URLs mentioned by you tagged as spyware,

https://www.google.com/recaptcha/api.js?render=6LdQ1bAcAAAAAJs_pD4NlkSI7las06lhe9WWhrnE https://fonts.googleapis.com/css?family=Roboto are pointing to google.comhttp://google.com/, which is clean.

These URLs belong to Google

  1. used for captcha for added security to stop unauthorized access in our product from bot or automated program.
  2. used for Google font Both the URLs we scanned in virustotal.comhttp://virustotal.com/ and marked clean by all security agencies including you.

These seem to us pretty surprising if the two above urls contain spyware and our domain is marked as unsafe instead of the two Google URL mentioned which are safe.

3

Lastly, the topic is regarding the Access being denied by Godaddy, it seems that you are trying to access our application by an anonymous "UNTRUSTED" IP (185.220.103.4) which has a serious mispractice reputation [ref. Exhibit-1]. It is blocked by ThreatDown Antivirus Server Agent powered by MalwareBytes. Malwarebytes blocked and in the category: exploit been mentioned in their log report of the IP (185.220.103.4)

Exhibit-1 : in the attchment

Wondering if it is possible from your end to use a trusted IP to scan our domain. If not, we can make the above IP used by you guys in the exclusion list.

Please take the necessary actions from your end to mark our domain claritycrm.comhttp://claritycrm.com/ safe. I do not see anything else we could take to protect and secure our domain. It's fully tight with any kind of security breach with the actions taken by us on the 15th of January, 2024.

Thank you in advance.

Regards Sandip Sandip Nascar @.**@.> +91 7059326999

From: spirillen @.> Date: Tuesday, 23 January 2024 at 2:44 AM To: mitchellkrogza/Phishing.Database @.> Cc: Claritysoft Support @.>, Mention @.> Subject: Re: [mitchellkrogza/Phishing.Database] [FALSE-POSITIVE] (Issue #797)

Spyware found on claritycrm.com

Prohibited access to help solve this issue by GoDaddy's censorship and anti Privacy rules

image.png (view on web)https://github.com/mitchellkrogza/Phishing.Database/assets/44526987/77a1e3d1-b03e-42bd-af4e-0e7f96e63551

Can't solve this issue without anonymous access to the crm in question

— Reply to this email directly, view it on GitHubhttps://github.com/mitchellkrogza/Phishing.Database/issues/797#issuecomment-1904828032, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BFNJ2C7VJSWBYI7ACNBXF3DYP3JBLAVCNFSM6AAAAABB6YVSTWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBUHAZDQMBTGI. You are receiving this because you were mentioned.Message ID: @.***>

spirillen commented 8 months ago

claritysoft.comhttp://claritysoft.com/ domain is out of topic and it has no relation with claritycrm.comhttp://claritycrm.com/. claritysoft.comhttp://claritysoft.com/ is our corporate website.

Is used to determine who you are and what you might be doing, to help getting a picture of what to be looking for.

These seem to us pretty surprising if the two above urls contain spyware and our domain is marked as unsafe instead of the two Google URL mentioned which are safe.

Nothing from google is safe for anyone. period, Alphabet are spies, can't be discussed and they do not put anything on the net, unless it is used to spy on people. IT IS THEY BUSINESS model to spy on everyone to among others selling ads, and manipulated elections, meaning interfering with democracy. < These are facts.

used for captcha for added security to stop unauthorized access

Add your own and self hosted solution, EU have freeware recaptcha, and it is one js files, this will also add more trust in your domain.

Next about this is they never works, people dumb enough to let G-captcha slip though there networks firewall, are often fighting up to hours to get through the captcha trap of fingerprinting the user by click and mouse patterns + plus a lot more invasive crap.

Lastly, the topic is regarding the Access being denied by Godaddy, it seems that you are trying to access our application by an anonymous "UNTRUSTED" IP (185.220.103.4) which has a serious mispractice reputation [ref. Exhibit-1]. It is blocked by ThreatDown Antivirus Server Agent powered by MalwareBytes. Malwarebytes blocked and in the category: exploit been mentioned in their log report of the IP (185.220.103.4)

Yes, of curse I'm using tor to access potential infected domains from a closed box via tor... and it is well know that MalwareBytes are working against privacy = democracy.

Meaning: If you like my help to see if the domain can be whitelisted, you will honor the human rights to privacy.

Wondering if it is possible from your end to use a trusted IP to scan our domain

Any Tor IP addresses are from the actual trustworthy network... unlike any connections via #SpyWeb (or #catNet if you prefer). So please be careful, maybe one (1) % of the users on the Tor network have bad intentions... All corps (Adobe, Alphabet, meta and Cloudflare to only mention a few from the top 10) on the #spyWeb have bad intention, which roughly will say 90% of all traffic on the "Clear Net" is tracking, spying, manipulating etc etc etc of badware with evil intention.

Conclusion from you own philosophy... ban spyWeb and allow Tor Nertwork.

I stop wasting further time on this issue as it leads nowhere.

Claritysoft
CRM Software, Customer Relationship Management, CRM System
Clarity CRM software helps your business stay connected with your customers, streamline processes, and drive business growth.
Claritycrm
Claritysoft Live Secure Login Page. Login to your database.
Claritysoft Live Secure Login Page. Login to your database.
ClaritysoftSupp commented 8 months ago

Thank you for your reply and patience as we gather our understanding of the situation.

We have added the IP in question to our firewall allow lists.

Please let us know if there is anyway else we can assist with the investigation.

spirillen commented 8 months ago

We have added the IP in question to our firewall allow lists.

That makes no sense to add that IP address as it is rotated for every few minutes, as the Tor exit notes are change every few minutes to ensure you privacy, and makes it near impossible to track a default users whereabouts. The only thing you can do, it to permit users to there fundamental right to privacy and allow full access from the Tor-network.

And as I said, I'm not going to waist more time on this domain (issue) as I

  1. Do not have access to the log files for why you are listed
  2. I do not have access (login data) to the domain in question
  3. I do not have access to figure out who you are, as you keep blocking access to the tor network
ClaritysoftSupp commented 8 months ago

As said by you, “Do not have access to the log files for why you are listed” Is it possible for you to share any contact, who are direct authority of it.

So that we can reach out to them and sort out the issue as we are completely nowhere, why still it’s showing as unsafe in the phishing database.

And we don’t block any IP deliberately. Malwarebytes ThreatDown agents running in the server and GoDaddy security blocks all untrusted, unsafe IPs.

From: spirillen @.> Date: Wednesday, 24 January 2024 at 11:48 PM To: mitchellkrogza/Phishing.Database @.> Cc: Claritysoft Support @.>, Mention @.> Subject: Re: [mitchellkrogza/Phishing.Database] [FALSE-POSITIVE] (Issue #797)

We have added the IP in question to our firewall allow lists.

That makes no sense to add that IP address as it is rotated for every few minuteshttps://tor.stackexchange.com/questions/7567/how-often-do-tor-exit-nodes-change-ip-addresses, as the Tor exit notes are change every few minutes to ensure you privacy, and makes it near impossible to track a default users whereabouts. The only thing you can do, it to permit users to there fundamental right to privacy and allow full access from the Tor-network.

And as I saidhttps://github.com/mitchellkrogza/Phishing.Database/issues/797#issuecomment-1908219140, I'm not going to waist more time on this domain (issue) as I

  1. Do not have access to the log files for why you are listed
  2. I do not have access (login data) to the domain in question
  3. I do not have access to figure out who you are, as you keep blocking access to the tor network

— Reply to this email directly, view it on GitHubhttps://github.com/mitchellkrogza/Phishing.Database/issues/797#issuecomment-1908681161, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BFNJ2C2FOTPD7SEO7BL5UBLYQFGAFAVCNFSM6AAAAABB6YVSTWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBYGY4DCMJWGE. You are receiving this because you were mentioned.Message ID: @.***>

ClaritysoftSupp commented 8 months ago

Hello,

As the CEO of Claritysoft and I wanted to send you a message directly. I understand you are offering help in a volunteer capacity, and I truly appreciate your help.

Claritysoft is a CRM software provider, we’ve been in business for over 13 years and have 1000’s of users of our software. During the last 13 years, we have never experienced any issues like the issues we are experiencing today. As a result of our presence on the “Phishing Database” list, many of our customers cannot reach our service and our very existence is at risk.

I have asked my team to work with you to get this resolved. We have now granted the TOR network access to claritycrm.com, so you should be able to scan our site to determine if any malware still exists.

Thank you again for your assistance.