Domain/URL/IP(s) you believe NOT to be Phishing

https://current.aletheia-test.idtech.no/authorization

Whitelist type

• 1 to 1 match
• ALL subdomains or REGEX
• RZD all sub- and top level domains matching given record(s)

More Information

• Website was hacked
• Phishtank
• OpenPhish
• VirusTotal
• Other (Please fill out the next box)

Related external source

No response

Screenshot

No response

Additional context

Whitelisting PR (#380) was merged three days ago, but virustotal still says Phishing Database reports the site as malicious. Why isn't the whitelisting reflected in virustotal yet?

Virustotal link: https://www.virustotal.com/gui/url/164248c4b08e36070dfdbae6a849b4fc079a7e7501ea2015a1922f913c93d016?nocache=1

This record supports both protocol's therefor added twice to the list

https://tabitha-cambodia.org//app/Model/CpgredesPerts/cgi_b!n/cg%C4%AF_bin/ijj%C5%939p0ol932/871%C3%ACtip9oling/P%C4%ABBalyc0%C5%93uk/80%C3%BCe2101b%C4%8D/Bbbw%C4%99biay/lopsdjjjh%C3%AAb%C3%B8jhxhas%C5%93jhghbvssiu8e90j/P%C3%BFBay/?fbclid=IwAR1F2ugJu5vjikpoyymFv4UfN0tX-mziKJGg2Mo-Up_2Q-dmGcVSJM6X0Kg
http://tabitha-cambodia.org//app/Model/CpgredesPerts/cgi_b!n/cg%C4%AF_bin/ijj%C5%939p0ol932/871%C3%ACtip9oling/P%C4%ABBalyc0%C5%93uk/80%C3%BCe2101b%C4%8D/Bbbw%C4%99biay/lopsdjjjh%C3%AAb%C3%B8jhxhas%C5%93jhghbvssiu8e90j/P%C3%BFBay/?fbclid=IwAR1F2ugJu5vjikpoyymFv4UfN0tX-mziKJGg2Mo-Up_2Q-dmGcVSJM6X0Kg

Domain/URL/IP(s) where you have found the Phishing

https://github.com/mitchellkrogza/phishing

Related external source

https://mypdns.org/my-privacy-dns/matrix/-/issues/3080

Describe the issue

Domains created to target instagram accounts.
It is hosted on a single server and of course the server was created for phishing purposes.
Phishing server IP: 34.125.197.109

https://media-helpcenter.com/quadro-login.php

Screenshot

In reply to #213 we might fase an issue with only one falsepositive or exclusion list as there are both wildcard and full-match only cases.

The falsepositive list is used as a wildcard list right?

If I remember that right ⏫ this is calling for a new exclusion lists that takes "this match" only which in general might be a good idea, as there are other freely sub-domain hosting services out there.

Alternative is we start demanding people reads and understand the whitelist-tools commands for ALL | REG | RZD etc and have them applying it into one lists.

I therefor suggestion the project will be using two whitelists to simplify contributions to this project.

As mentioned by @spirillen, we should sort the list before/after a commit / PR.

Domain/URL/IP(s) you believe NOT to be Phishing

https://wcei.com.br/

More Information

• mitchellkrogza Phishing
• mitchellkrogza Phishing.Database
• Website was hacked
• Listed as Phishing on Phishtank or OpenPhish
• Listed on VirusTotal
• Other (Please tell us where in Related external source below)

Related external source

No response

Screenshot

No response

Describe the issue

My site is listed in the Total Phishing Virus by Phishingdatabase. But the site is clean, I'll check manually and scan and there's nothing. I ask that it be reassessed and the block removed

https://wcei.com.br/

Domain/URL/IP(s) where you have found the Phishing

scam

Impersonated domain

scam

Describe the issue

crypto scam

Screenshot

No response

Related external source

No response

Domain/URL/IP(s) where you have found the Phishing

188.34.139.235
23.99.65.85
20.94.249.183
52.170.83.27
188.34.139.235
51.116.134.73
104.46.14.154
20.52.2.74
20.109.185.93
20.115.152.112

Related external source

No response

Describe the issue

There are several server IP addresses opened for phishing purposes. Can you blacklist them?

Screenshot

Domain/URL/IP(s) you believes NOT to be Phishing

abbotsleigh.nsw.edu.au
https://abbapps.abbotsleigh.nsw.edu.au
https://abbapps.abbotsleigh.nsw.edu.au/fadcauth/login.html

Whitelist type

• 1 to 1 match
• ALL subdomains or REGEX
• RZD all sub- and top level domains matching given record(s)

More Information

• mitchellkrogza Phishing
• mitchellkrogza Phishing.Database
• Website was hacked
• Listed as Phishing on Phishtank or OpenPhish
• Listed on VirusTotal
• Other (Please tell us where in Related external source below)

Related external source

https://www.virustotal.com/gui/url/b1d29cffaedc133aab3bf428fdce627a0a8f22a64f808ee53fd642a90baab280
https://www.virustotal.com/gui/url/268846513b97eaea5a7c685a88cedb9b419ac51a342389eee830a094bc0037db

Screenshot

No response

Describe the issue

1. Spirillen closed my pull request 280. and emailed me that "As the you are blocking our tests we are unable to work with this issue. Please open new issue, once you have solved your server issues".
2. Please let me know what error you get.
3. Please let me know what IP your testing is coming from.

Domain/URL/IP(s) where you have found the Phishing

https://example.com
https://example.org/phishing
192.0.2.0/24

Related external source

No response

Describe the issue

Test of issue template

Screenshot

No response

Domain/URL/IP(s) you believe NOT to be Phishing

androidauthority.com/

More Information

• mitchellkrogza Phishing
• mitchellkrogza Phishing.Database
• Website was hacked
• Listed as Phishing on Phishtank or OpenPhish
• Listed on VirusTotal
• Other (Please tell us where in Related external source below)

Related external source

No response

Screenshot

No response

Describe the issue

This is a news blog website.

Copy of #391 (comment) by @g0d33p3rsec

I'll merge them, then pyfunceble will remove the dead once

Thanks! I wonder if pyfunceble may be causing the false negatives when I add as domain or wildcard. When I first added by individual URI, Virus Total would return a positive once the commit was merged upstream. Since, as I've been adding as domain or wildcard, the sites seem to be dropped by the time this repo is merged upstream resulting in subsequent false negatives on VT from the Phishing Database even though the upstream repo showed recent merges. That's why I tried testing both a few commits ago but the results were inconclusive. I should have more time to dig into it after the semester ends next week. If you want to compare output, I've been trying to track the group using a VT collection which can be found at https://www.virustotal.com/gui/collection/5b7e996c553034dddc8c690ea6be0adb3182b0fa96ce6a8b29627e165fb47f38/iocs

Here's an example from a recent add https://www.virustotal.com/gui/url/0503dbd260648c364c10793657cdebe883da30554b3c9cbed639025ea45e58e7 Most of the detections shown are from hand feeding the domain to the individual EDR vendors, which can be a bit laborious.

Domain/URL/IP(s) where you have found the Phishing

https://southerninsurs.com

Impersonated domain

The legit Southern Insurance company has no official website at that moment. This company works with Visy internal subdivisions and some corporate clients.

Describe the issue

HI,

I am writing to bring a matter of utmost importance to your attention. It has come to our notice that criminals have taken advantage of typo-squatting tactics by deploying the website southerninsurs.com . I must emphasize that the Southern Insurance company, which is based in Singapore and owned by Visy Group (the company I am working for), has absolutely no association with this website.

Due to the severity of this situation, the Singapore police have taken action by blocking access to this website from Singaporean IP addresses. However, there remains a significant risk that potential clients accessing the site from other countries may unknowingly fall victim to these unscrupulous individuals. In fact, one of our valued clients was recently defrauded of $300,000 under the false assumption that they were engaging with a legitimate company.

Could you please mark this site as phishing?

Thank you for your prompt attention to this matter.

Yours sincerely,
Patrick Ocean
Cyber Security Analyst
VISY
53 Charles St,
Coburg North,
Victoria, Australia

M:+61488 111 373 W: www.visy.com.au

Screenshot

No response

Related external source

No response

Domain/URL/IP(s) you believes NOT to be Phishing

vodafone.de
live.vodafone.de

https://live.vodafone.de
https://www.vodafone.de/cprx/captcha
https://www.vodafone.de/meinvodafone/account/login?protocol=oidc

Whitelist type

• 1 to 1 match
• ALL subdomains or REGEX
• RZD all sub- and top level domains matching given record(s)

More Information

• mitchellkrogza Phishing
• mitchellkrogza Phishing.Database
• Website was hacked
• Listed as Phishing on Phishtank or OpenPhish
• Listed on VirusTotal
• Other (Please tell us where in Related external source below)

Related external source

No response

Screenshot

No response

Describe the issue

Found in ALL-phishing-domains and ALL-phishing-links archives. Not a phishing site and doesn't seem to have been hacked recently. VirusTotal shows no hits (Even for Phishing.Database weirdly enough)

Any idea how these got reported as phishing? I'm guessing these archives are already filtered with your whitelist, correct?

Hi Mitch @mitchellkrogza,

Can you please install and configure the move GitHub application so that I can move issues from the other repo to here?

Cheers!

212.64.215.12

I request you to blacklist the IP address. Again, the domains connected to this IP address are listed. I will PR

Domain/URL/IP(s) you believe NOT to be Phishing

surveysparrow.com

Whitelist type

• 1 to 1 match
• ALL subdomains or REGEX
• RZD all sub- and top level domains matching given record(s)

More Information

• Website was hacked
• Phishtank
• OpenPhish
• VirusTotal
• Other (Please fill out the next box)

Related external source

No response

Screenshot

No response

Additional context

This is a survey platform. However, the global domain is marked as phishing. Not a phishing site.

Any idea how these got reported as phishing?