Have you ever wonder based on what VirusTotal gives you the outcomes? The greater part of individuals thinks there must be a 50 or more antivirus scanners which truly examines the URL however the truth of the matter is diverse. In this article you will know how VirusTotal functions
VirusTotal is an assistance that utilizes a few command line variants of antivirus engines, refreshed consistently with legitimate signatures, databases, documents distributed and checked by particular security specialists.
VirusTotal is not a actual virus scanner which run scan checks on the web-application or software's it is just take it's history information from various database, you will know how by one of my example.
On a bustling day while working a some of the client reported a suspicious email and it's contains the URL connect including social engineering content and I began inspect it as a part of my Investigation.
Unfortunate propensities and sluggishness of the majority of cyber security specialists is whatever it is they simply put it in VirusTotal or any online sandbox and whatever the result out they believe it, This resembles general practice for everybody.
I did likewise and got VirusTotal clean report. Here it is :
URL was https://pendingoffice365onlinelogins.wordpress.com/releasepending/
But I barely trust anything over internet i continued to investigate and was checking website source code and found that there was an redirection URL.
window.location.replace("https://servnet.pressvp-net.xyz/?e=Y2hhbmdlZCBlbWFpbCBhZGRyZXNzIGZvciBibG9n==");
After verifying the URL seen that page asking for O365 login credentials which is again looks suspicious as the URL is something different and again started investigating source code and found that credentials stored at another server and there were no activity after.
<div class="mainContent"><div class="menu_login_container"><form method="POST" action="o365login/post.php" id="login_form">
$habbo = $_POST['email'];
$password = $_POST['pass'];
$ip = $_SERVER['REMOTE_ADDR'];
$f = fopen("password.html", "a");
And afterward I am confirmed this is a phishing web page and all around made a completely imperceptible as the redirections was utilized nicely.
Not all the cyber security tools or software's verify this sort of conduct and that is the reason must need a manual investigation to check.
I chose to report a site immediately with the goal that others will realize this URL is Phishing URL, I love revealing bad things. So, i decided to report page on PhishTank so that other experts will also confirms the webpage as Phishing or Malicious.
Reporting is simple just click on "Add Phish" and provide your URL and basic info and wait for sometime to pick up by some experts and verify your URL
After checked as a legitimate phish, databases gets refreshed in back-end by Well known security sellers and VirusTotal refreshed its database excessively brisk.
First scanned before investigation and reporting a site as a phishing on 22-10-2019 03:12 UTC and the result was clean.
Below is the result of latest scan of 22-10-2019 03:56 UTC (Approx. 40 mins to update DB)
Result as of 2020-02-03 14:08:16 UTC
Now you maybe have an question what i did about redirected login page URL? which is https://servnet.pressvp-net.xyz/?e=Y2hhbmdlZCBlbWFpbCBhZGRyZXNzIGZvciBibG9n== and yes i reported and get verified as well so you can still find this URL as malicious.
Where and what to report and verify if you find something suspicious or malicious
• There are various valid forums and vendors which offers to verify phishing links, malicious files, IP address, Hashes You just need to submit it experts will verify or you can also verify for others and rate it.
• Such as Google safe browse, Trend Micro, PhishTank, Fortiguard, AbuseipDB.
Conclusion :
VirusTotal simply aggregates the output of different antivirus vendors and URL scanners, it does not produce any verdicts of its own.
VirusTotal is an assistance that utilizes a few command line variants of antivirus engines, refreshed consistently with legitimate signatures, databases, documents distributed and checked by particular security specialists.
VirusTotal is not a actual virus scanner which run scan checks on the web-application or software's it is just take it's history information from various database, you will know how by one of my example.
On a bustling day while working a some of the client reported a suspicious email and it's contains the URL connect including social engineering content and I began inspect it as a part of my Investigation.
Unfortunate propensities and sluggishness of the majority of cyber security specialists is whatever it is they simply put it in VirusTotal or any online sandbox and whatever the result out they believe it, This resembles general practice for everybody.
I did likewise and got VirusTotal clean report. Here it is :
URL was https://pendingoffice365onlinelogins.wordpress.com/releasepending/
But I barely trust anything over internet i continued to investigate and was checking website source code and found that there was an redirection URL.
window.location.replace("https://servnet.pressvp-net.xyz/?e=Y2hhbmdlZCBlbWFpbCBhZGRyZXNzIGZvciBibG9n==");
After verifying the URL seen that page asking for O365 login credentials which is again looks suspicious as the URL is something different and again started investigating source code and found that credentials stored at another server and there were no activity after.
<div class="mainContent"><div class="menu_login_container"><form method="POST" action="o365login/post.php" id="login_form">
$habbo = $_POST['email'];
$password = $_POST['pass'];
$ip = $_SERVER['REMOTE_ADDR'];
$f = fopen("password.html", "a");
And afterward I am confirmed this is a phishing web page and all around made a completely imperceptible as the redirections was utilized nicely.
Not all the cyber security tools or software's verify this sort of conduct and that is the reason must need a manual investigation to check.
I chose to report a site immediately with the goal that others will realize this URL is Phishing URL, I love revealing bad things. So, i decided to report page on PhishTank so that other experts will also confirms the webpage as Phishing or Malicious.
Reporting is simple just click on "Add Phish" and provide your URL and basic info and wait for sometime to pick up by some experts and verify your URL
After checked as a legitimate phish, databases gets refreshed in back-end by Well known security sellers and VirusTotal refreshed its database excessively brisk.
First scanned before investigation and reporting a site as a phishing on 22-10-2019 03:12 UTC and the result was clean.
Below is the result of latest scan of 22-10-2019 03:56 UTC (Approx. 40 mins to update DB)
Result as of 2020-02-03 14:08:16 UTC
Now you maybe have an question what i did about redirected login page URL? which is https://servnet.pressvp-net.xyz/?e=Y2hhbmdlZCBlbWFpbCBhZGRyZXNzIGZvciBibG9n== and yes i reported and get verified as well so you can still find this URL as malicious.
Where and what to report and verify if you find something suspicious or malicious
• There are various valid forums and vendors which offers to verify phishing links, malicious files, IP address, Hashes You just need to submit it experts will verify or you can also verify for others and rate it.
• Such as Google safe browse, Trend Micro, PhishTank, Fortiguard, AbuseipDB.
Conclusion :
VirusTotal simply aggregates the output of different antivirus vendors and URL scanners, it does not produce any verdicts of its own.
Nice write-up in detail, keep it up.
ReplyDeleteSubscribing your threads
I was living in fake world bruh, thanks for bringing me in real world lmao.
ReplyDeleteThis is a basic not an too advanced research, sadly people even don't know the basics
ReplyDeleteonline sms activation
ReplyDeletePVA phone verification
pva pins sms