Why did this get past the XG?

What is it catagorised as?

It seems to take a long time, quite often days/weeks before these scam sites are blocked - this is not just by Sophos, it's also by "Google Safe Search" too

No record found.

My wife clicked on a link in legitimate site, I have been back over that site and not able to reproduce the connection.

I have https scanning enabled on the web proxy.

Looking at logs to se what else I can find or not as the case might be.

Ian

Update :- the logviewer is becoming frustrating, so far I have not found either of two issues I have been investigating. The url in the screenshot does not appear in any logviewer report, so how did it get through the XG?

The problem is that the site needs to be listed as a recognised fraud/phishing site, which can take a while to do.

Until this happens it won't be blocked.

I deal with scam sites on a frequent bases and even have fun with some guys winding them up and seeing what information we can find about them.

It sometimes becomes hard to block based on domain alone as they will piggy-back a full URL path on a hijacked domain, and will use javascript to display the "pop-ups"...  But they will also randomise the URL path to make it look like a general session token, which it's not but just makes it harder to block, sometimes they will have hundreds/thousands of them under the domain.

The hard part is trying to stay ahead of the scammers, it's difficult as they are constantly finding new ways to entrap their victims, kind of like a cat and mouse game, you're always behind as you have to protect at what they are doing, and therefore it's very difficult to get ahead of them.

The only way possible to do this would be to have white-lists, rather than black-listing bad domains.  And this is what a lot of education institutions have been forced to do to protect children from the nasties.

My personal wish is for companies to take this more seriously, and have the resource available (be it trusted public citizens or internal) that can add these sites to a block list, and it be actioned upon rapidly, rather than in 2-7 days.

Hi Tim,

thank you for taking the time to provide those details.

I am not concerned for my MBP because I can cope, but my wife's, she wanders around the internet a lot and I have taken a lot of flak fixing broken acesss. I am disappointed with multiple layers of protection that this site was able to get through.

This time it was a new site investigating a veterinary hospital for one of our cats, the url must have been enclosed in some package because it opened multiple screens and caused general noise type panic.

I examine the site and was not able to replicate the issue so I have to assume the site admins had some security inbuilt. When I opened there url nothing happened other than the white box and was easily killed. I have not been able to find the site in any logviewer screen.

I can't disable access to un/non categorised sites because most if not all sophos sites are not categorised.

Ian

Quite often these pop-ups will appear because someone has mistyped google, by adding additional characters for example, this proxies to the real google so you think you're on the right site, and then when you run your search the results sit in an iFrame with the JavaScript running in the background - you think you're on the real site but you're not.

The scammers are very sneaky and try whatever they can in order to find and entrap victims.

So it may have actually been nothing to do with the site, but more so what happened before you connected to the site.

Quite often these pop-ups will appear because someone has mistyped google, by adding additional characters for example, this proxies to the real google so you think you're on the right site, and then when you run your search the results sit in an iFrame with the JavaScript running in the background - you think you're on the real site but you're not.

The scammers are very sneaky and try whatever they can in order to find and entrap victims.

So it may have actually been nothing to do with the site, but more so what happened before you connected to the site.

Hi Tim,

the issue wasn't user fingers, but an unclassified site. I have been working with the Sophos Home team and they investigated the site and found it was a new one and submitted it for classification/catergorisation.

Also found I had ISP DNS issues which when reset cleared other little issues.

Now waiting for the new MR-1 so I can get mail scanning working again.

Ian

Won't really matter now, I reported it and it was taken down in a matter of hours from the other end...find it quicker to do that than wait for a 3rd party to add it to a block list, deal with it from the source.

As for the miss-type - I mean that someone could have mistyped a URL which then redirects to this one, it's the common practice scammers user to gain access.

Hi Tim,

who did you report it too?

Yes, could have been a mistype at the source, I hadn't considered that.

Thank you

Ian

It was being hosted by a company called digital ocean - just dropped them an e-mail with the evidence and they do their stuff.

Hosts take this very seriously and will act very quickly, faster than getting sites classified and added to firewall rules.