KenB

Suspicious Host Detected ... Am I Infected?

Recommended Posts

PROBLEM

When I open FireFox ... EAM Surf Protection detects and blocks a suspicious host identified as "insidesalesemail.com"

DETAILS OF THE DETECTION FROM THE LOG

4/20/2018 11:47:37 AM
Surf Protection detected suspicious host "insidesalesemail.com" (SHA1: EF45D0C407D2987B2EDB3DD76967E1B16BD6C1C8)

4/20/2018 11:47:37 AM
A notification message "insidesalesemail.com is a known phishing host and was blocked." has been shown

4/20/2018 11:47:37 AM
Blocked by rule

WHEN DOES IT HAPPEN

This happens only when I open FireFox. It doesn't happen with Edge. It doesn't happen when browsing.

WHAT I'VE DONE

I've run and EAM Malware and Custom scans and there have been no detection's.

QUESTION

Do I have a problem here? What should my next action be?

SYSTEM SPECS

Windows 10 Home x64 v1709 build 16299.371

EAM v2018.3.1.8572

FireFox x64 v59.0.2

 

Thanks!

KenB

 

 

 

 

Share this post


Link to post
Share on other sites

What do you have set as your browser homepage(s)?

Do you run a current version of Firefox (eg v59.0.2) or something much older?

Do you run any extensions apart from the basic ones shipped with Firefox?    Eg, I have no "extensions" at all, and only three "add-ons" - OpenH264 Codec, Widevine Content Decryption and Flash (which these days is rarely active).

If you have Add-ons, it might be worth trying Help -> Restart with Add-ons Disabled to see if that helps. 

If not what you describe rather implies that (in the simplest case) your Firefox shortcut has had a URL inserted into it, or something in your profile has had the URL inserted, maybe as a saved preference.  You might be able to find that by searching inside your profile folder.  Firefox actually has two profile folders - you can find their locations via url  about:profiles  (all the "about:" things show internal FF stuff).  The first profile listed contains things you'd recognise as user preferenes, history etc, whiile the second one has 'system' data that FF manages on your behalf eg caches, its own list of suspicious hosts etc.  The latter was originally one system-wide folder but these days with Windows keeping all user data separate from that of other users, it has a copy of this folder per user as well.

Share this post


Link to post
Share on other sites

@JeremyNicoll

I have Google as my homepage but the problem does not go away when I change to something different.

As reported I am using FireFox 59.0.2 ... the latest

Nothing found in the shortcut.

The problem remains when I run FireFox in safe mode with all extensions disabled.

Nothing found in either profile folder.

Nothing found in about:config

Looks like removing FireFox and reinstalling it from a newly downloaded file is the next step.

Any other suggestions?

 

Thanks!

KenB

Share this post


Link to post
Share on other sites

Now the problem isn't happening ... beats me why. Hmm ... stay tuned ... I'll post again if the problem comes back.

KenB

Share this post


Link to post
Share on other sites

When you start FF, what have you told FF to display?  Just your homepage, or whatever tabs were in use before, or what?   If it's the "tabs I was using before" option then it may just be the list of in-use tabs that's reloading that URL... and of course it's not necessarily a URL that you yourself have picked; it may be a link that's buried on one of your intended pages.

FF has options that control whether it attempts to start the process of fetching things that you've not clicked on, but might click on.  That might include doing a DNS lookup of a URL, which I think is what EAM intercepts.  You might want to read about 'prefetch' at: https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections

If it continues happening, I'd suggest you enable Tools -> Web-developer -> Browser Console  which gives you access to an internal log of everything your browser is doing.  Don't pick the  similarly named Web Console, which only applies to the page you opened it from.  If you turn on all the logging options then refresh each webpage in turn you might (a) get another intercept from EAM, and (b) be able to see in the log what caused it.  You'd need to read about the consoles work, at: https://developer.mozilla.org/en-US/docs/Tools/Browser_Console

The help info for tools like the Browser Console changes frequently as Mozilla add more and cleverer facilities into their logging options.  I don't actually know if the logs will show what you need, but it's useful to know what they can show you... 

Share this post


Link to post
Share on other sites

Well ... as of now the problem has not reoccurred again.

I was gonna clear cookies yesterday but the problem went away before I got around to do it. I cleared 'em this AM just to be sure but as I said the problem seems to have gone away so unless it comes back I'll never know if cookies were involved.

The suspicious host caught by EAM is insidesalesemail.com. EAM initially blocked it when I went to jameshardie.com in FF ... then the little beasty decided it also wanted to open when I first started FF. There was no problem with it in Edge. James Hardie is a manufacturer of fiber cement siding for homes.

I have FF set up to open on the Google search page ... I don't have it set up to load stuff from my last session.

FF prefetching ... GOOD IDEA ... that certainly sounds like a possible culprit and it's enabled in my FF.

If this happens again I'll see what I can find in the Browser Console.
 

Thanks Jeremy!

KenB

 

 

Share this post


Link to post
Share on other sites

The website in question was added for phishing, and it was added automatically because it appeared in a blacklist that we usually consider trustworthy. Considering that no one else appears to detect this website, I've asked our malware analysts if it is a false positive.

Share this post


Link to post
Share on other sites

I've been told that we've delisted the website you reported, and it will no longer be detected. This means that the website should be safe.

Share this post


Link to post
Share on other sites

Thanks Arthur!

It's soooo nice to do business with a company that talks to it's users and stays on top of things!

KenB

 

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.