Edgeryders and POPREBEL Impact Conference website tagged as "phishing" by antiviruses

Workspaces Software (General)
#1

Among the compliments for the look of the website, from some of the partners we received feedback which, IMO, should be addressed both for this website and in general:

“my anti-virus program is labeling Edgeryders website (including the link to the panel page) as a phishing website and blocking it, I started this week, and never happened before (I did mark the website safe, but I thought you ought to know about it).”

The anti-virus in this case is Avast.

It looks bad for anyone trying to connect to it. Is there a way to solve this thing before we start to sent the links to the potential speakers on the conference?

#2

@alberto sent me a similar report via Matrix chat a few days ago. Putting it here as it may help solve the issue:

The forum.avast.com link talks about issues like this being caused possibly by browser extensions that try to contact other websites in the background when visiting a website, leading to the impression of phishing (in the sense of, forwarding requests to a different domain without the user noticing it).

@ivan can you confirm this report you received is about the POPREBEL Impact Conference website, even though it says “Edgeryders website”? If so, that would make the issue more peculiar. The impact conference website does not even share its IP address with edgeryders.eu, which would exclude any IP reputation issue.

#3

Ok I found a way to reproduce the issue independent of the operating system you use:

  1. Install the Firefox extension Avast Online Security & Privacy.

  2. Try to visit edgeryders.eu and you’ll see a similar phishing warning, coming from a check against the same Avast phishing URL database:

    image
    image920×601 50.5 KB

Indeed the same symptoms happen when visiting https://poprebel-impact.eu/ . All edgeryders.eu subdomains are affected, and that is also the reason why poprebel-impact.eu is affected, since it forwards to a live.edgeryders.eu page when visiting.

Strangely, the CNAME alias domains to which most of our edgeryder.eu subdomains forward are not blocked by Avast. For example, work.edgeryders.eu is blocked by Avast but it internally just forwards to erwork.netlify.app, which is not blocked. This proves that Avast just blocks whole domains incl. all subdomains based on a blacklisting URL database, without any check of the actual content of a page. As seen here, the exact same content can be blocked under one domain and not on others.

In the meantime I found the false positive report form of Avast and reported the issue with edgeryders.eu and its subdomains. They said they’ll notify me by e-mail once they processed the request. The poprebel-impact.eu issue will be cleared by treating the edgeryders.eu issue, due to the forwarding involved (see explanation above).

Let’s hope they are at least fast to answer at Avast. In the past, there have been many false positives for their phishing detection, and unblocking was quite painless judging from the replies in that forum.

2 Likes
#4

Thanks for looking into this, @matthias.

#5

As of now, 60 hours after my report via the Avast false positive report form, nothing has happened. They still block access to edgeryders.eu and its subdomains, and did not notify me of any action by e-mail.

I found a very hidden form to open a support ticket for business support and sent them a strongly worded reminder to get this done ASAP. (Just stopping short of mentioning that malicious actions like blocking access to ordinary websites is what malware does.)

Giving it another two days before further action.

1 Like
#6

For @ivan and @alberto and everyone else affected: the Avast blocking issue is solved now. I confirmed this for both edgeryders.eu and poprebel-impact.eu and for another representative subdomain that I saw as blocked before (work.edgeryders.eu), and they are all accessible now while the Avast Online Security & Privacy browser extension is enabled.

So I expect that it’s solved now. According to the e-mail I received from them, unblocking may take up to 24 hours, so you might still see symptoms until tomorrow 2022-08-03 13:00 CEST. If you see blocking happening after that, proceed as in the e-mail quoted below (but post here for me, not directly by e-mail to them).

2 Likes