Site marked as phishing site by browsers

In the past week a number of my users have noted that my site has been marked as a phishing site, but most are not seeing this including myself. I have a number of security errors in my logs, which all come back to this javascript file:

https://community.naturephotographers.network/assets/vendor-957bcfd0b1422c19974dcf8f64f73eeada523e3d12dd3c76eb24c753f9399397.js

Most of the reports of this happening were Sunday night and then everyone seemed to stop getting the warning, but now I have people emailing me again stating that it’s happening again today.

It seems like it may be CDN related as the common theme is with images. I contacted digital ocean and they said they were not seeing any problems on their end. Any ideas?

Log env
hostname community-app
process_id [24095, 24114]
application_version bcf4a1775169698f103c78c4ec61fecedd21e3f8
HTTP_HOST community.naturephotographers.network
REQUEST_URI /logs/report_js_error
REQUEST_METHOD POST
HTTP_USER_AGENT [Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko, Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko, Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko, Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko, Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko]
HTTP_ACCEPT /
HTTP_REFERER https://community.naturephotographers.network/
HTTP_X_FORWARDED_FOR [209.170.230.242, 76.241.9.23, 12.235.114.66, 217.116.64.52, 24.117.75.79, 71.84.189.197, 173.244.130.100, 50.0.118.42, 72.210.21.39]
HTTP_X_REAL_IP [209.170.230.242, 76.241.9.23, 12.235.114.66, 217.116.64.52, 24.117.75.79, 71.84.189.197, 173.244.130.100, 50.0.118.42, 72.210.21.39]
params
message SecurityError Url: https://community.naturephotographers.network/assets/vendor-957bcfd0b1422c19974dcf
url https://community.naturephotographers.network/assets/vendor-957bcfd0b1422c19974dcf8f64f73eeada523e3d1
line 2
column 9962
window_location https://community.naturephotographers.network/

I noticed a number of the URL’s that were causing security errors are throwing a 402 Payment Required, for example here are the Sucuri scan results for one of the pages: Sucuri SiteCheck - Free Website Security Check & Malware Scanner

Do we even return 402 anywhere in our code paths @sam?

It is a very odd response value

402 Payment Required

Reserved for future use. The original intention was that this code might be used as part of some form of digital cash or micropayment scheme, as proposed for example by GNU Taler, but that has not yet happened, and this code is not usually used. Google Developers API uses this status if a particular developer has exceeded the daily limit on requests. Sipgate uses this code if an account does not have sufficient funds to start a call. Shopify uses this code when the store has not paid their fees and is temporarily disabled.

It is possible your scanner was hitting a Discourse rate limit, though I find the usage of 402 rather ambiguous. There is a proper response code for rate limiting, 429

429 Too Many Requests (RFC 6585)

The user has sent too many requests in a given amount of time. Intended for use with rate-limiting schemes.

1 Like

Are you sure your host isn’t causing this? Where is your site hosted, with what company? The “requires payment” response code is very curious indeed and makes me think this is about money and hosting.

1 Like

With digitalocean and everything is current :man_shrugging:t2:

It’s your members only page which is returning the 402 errors. When I follow the URL mentioned in the site scan manually, it gives me a members only login page.

But when I request it using a command line tool, I’m getting a 402 Payment required. Which seems logical given the fact that it actually requires payment in order to get to the content.

Nevertheless I’m wondering if this is what is actually causing the phishing site warnings.

8 Likes

Ahh yes, this is from the Category Lockdown plugin, I looked through the code and it does use 402, @david could it be causing the phishing warnings? I see the plugin hasn’t changed since October but maybe something in core is conflicting? I will try disabling it and see if the users still get the warning.

Overnight the only new error in the logs is this one, and another user reported getting the warning around the same time as this

Error: Could not find module discourse-common/lib/raw-handlebars
Url: https://community.naturephotographers.network/assets/ember_jquery-07f49b58317ea9292d939348ec0091eb50a9d8aaabd9e86cc074ef5f049918aa.js
Line: 19
Column: 11853
Window Location: Landscape Critiques - Nature Photographers Network

hostname community-app
process_id 32693
application_version e655e1863f07d1304393efa14a6726f5f622ef75
HTTP_HOST community.naturephotographers.network
REQUEST_URI /logs/report_js_error
REQUEST_METHOD POST
HTTP_USER_AGENT Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
HTTP_ACCEPT /
HTTP_REFERER Landscape Critiques - Nature Photographers Network
HTTP_X_FORWARDED_FOR 46.208.87.187
HTTP_X_REAL_IP 46.208.87.187
params
message Error: Could not find module discourse-common/lib/raw-handlebars Url: https://community.naturephotogr
url https://community.naturephotographers.network/assets/ember_jquery-07f49b58317ea9292d939348ec0091eb50a
line 19
column 11853
window_location Landscape Critiques - Nature Photographers Network
stacktrace s@https://community.naturephotographers.network/assets/ember_jquery-07f49b58317ea9292d939348ec0091eb5

I can’t say for certain, but a google search doesn’t bring up any examples of 402s being used as an indicator for phishing sites. In fact the first google result is this topic :wink: .

I think in this case ‘402’ is actually the correct error code - payment is required to view the content.

4 Likes

Thanks David, after disabling my users are still getting the red screen, so I guess it rules that out.

1 Like

It appears the site is not secure for these users, yet the certificate is valid and doesn’t expire until February:

Somehow you’ve ended up on Google’s phishing list: Google Transparency Report

I think all you can really do is fill in the form they link to: Report Incorrect Phishing Warning

3 Likes

But I don’t think I am on the list, it’s just a browser trigger. If I check the site on Sucuri it doesn’t show on any list, and most users including myself are not getting this warning.

The only connection I can make is that all the red screens reference the digitalocean cdn and the users getting this warning are not able to load images (I have my image hosting through a digital ocean space with cdn)

You are on the list. Did you follow the link for more information?

The url that’s on the list is the digital ocean cdn (npn.sfo2.cdn.digitaloceanspaces.com). Perhaps someone uploaded a phishing site there and is sharing the link, not necessarily in your forum site.

https://transparencyreport.google.com/safe-browsing/search?url=https:%2F%2Fnpn.sfo2.cdn.digitaloceanspaces.com

3 Likes

Thanks guys, I didn’t see the link David posted at first. I didn’t think of checking the DO link, I have submitted to google for review and we will see where it goes from here. I do find it odd that it is only affecting a handful of users still.

DigitalOcean finally got back to me and acknowledged that someone on their network had uploaded phishing material and it has now been resolved. It’s a bit crazy that they are not siloed, thank you all for your help.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.