We recently ran into a situation where a number of antiviruses (Kaspersky, Quttera, McAfee, Norton Safe Web, Bitdefender and a few lesser known ones) started blocking our website. Studying the situation led me to the understanding that getting on the block list is extremely simple, just a few complaints (even without justification). I will describe the problem in more detail later.
The problem is quite serious, since now almost every user has an antivirus or firewall installed. And blocking a site with a major antivirus like Kaspersky can make a site inaccessible to a large number of users. I would like to draw the attention of the community to the problem, as it opens up a huge scope for dirty methods of dealing with competitors.
I will not give a link to the site itself or indicate the company, so that it would not be perceived as some kind of PR. I will only point out that the site works according to the law, the company has commercial registration, all data is given on the site.
We recently encountered complaints from customers that our site was being blocked by Kaspersky Anti-Virus as a phishing site. Multiple checks on our part did not reveal any problems on the site. I filed an application through the form on the Kaspersky website about a false positive antivirus. The result was a response:
We checked the link you sent.
Information on the link poses a threat of loss of user data, a false positive has not been confirmed.
No evidence that the site poses a threat has been given. Upon further inquiries, the following response was received:
We checked the link you sent.
This domain was added to the database due to user complaints. The link will be excluded from anti-phishing databases, but monitoring will be enabled in case of repeated complaints.
From this it becomes clear that a sufficient reason for blocking is the very fact of the presence of at least some complaints. Presumably, the site is blocked if there were more than a certain number of complaints, and no confirmation of the complaint is required.
In our case, the attackers sent a number of complaints. And our DC, and a number of antiviruses, and services such as phishtank. On phishtank, the complaints included only a link to the site, and an indication that the site was phishing. And yet, no confirmation was given.
It turns out that you can block objectionable sites with a simple spam of complaints. Perhaps there are even services that provide such services. If they are not there, they will obviously appear soon, given the ease of entering the site into the databases of some antiviruses.
I would like to hear comments from representatives of Kaspersky. Also, I would like to hear comments from those who themselves encountered such a problem and how quickly it was resolved. Perhaps someone will advise legal methods of influence, in such situations. For us, the situation entailed reputational and financial losses, not to mention the loss of time to solve the problem.
I would like to draw as much attention as possible to the situation, since any site is at risk.
Addition.
In the comments they gave a link to an interesting post from HerrDirektor on this issue. I'll quote him
I'll tell you more - do you want to create problems for almost any site in 10 minutes (well, except for large, bold and very famous ones)?
Welcome to phishtank.
We register 8-10 accounts (you only need an email for confirmation), select the site you like, add it from one account to the fishtank database (to make life more difficult for the owner, you can put some letter advertising gay porn with dwarfs into the form when adding it).
With the remaining accounts, we vote for phishing until they write to us βThis is phish site!β.
Ready. We sit and wait. Although, to consolidate success, you can add both http:// and https:// and with a slash at the end and without a slash, or with two slashes. And if there is a lot of time, then links can also be added to the site. For what? But why:After 6-12 hours, Avast pulls up and takes data from there. After 24-48 hours, the data spreads through all sorts of "antiviruses" - comodo, bit defender, clean mx, CRDF, CyRadar ... From where the fucking virustotal sucks the data.
Of course, NO ONE checks the accuracy of the data, everyone is deeply fucked.And as a result, most of the "antivirus" extensions for browsers, free antiviruses and other software begin to swear at the specified site in all sorts of ways, from red signs to full-fledged pages broadcasting that the site is terribly dangerous and go there like death.
And in order to clean up these Augean stables, each of these βantivirusesβ has to write to technical support. For EVERY link! Avast reacts quite quickly, the rest stupidly lay down a well-known organ.
But even if the stars converge and it turns out to clean the site from the antivirus databases, then the βmega-resourceβ virustotal does not care at all. Are you not in phishtank's database? Yes, do not care, once there was, we will show what is. Are you not in bit defender? It doesn't matter, we'll show you what it was anyway.
Accordingly, any software or service that focuses on virustotal will show until the end of time that everything is bad on the site. You can peck this poor resource for a long time and systematically, and maybe you'll be lucky to get out of there. But you might not be lucky.
* Among those who block the site, there was even a fortinet provider. And we still haven't removed the site from some lists of phishing sites.
* This is my first post on HabrΓ©. Unfortunately, I used to be just a reader, but the current situation motivated me to write a post.
Source: habr.com