MacDefender

Level 12
Verified

I just got this PDF scam saying that my iCloud account was locked. The link to "reset" my password goes to an obvious phishing scam. Unfortunately, F-Secure, Chrome, and MS Edge Chromium all happily allow me to visit the site.

The URL is in the VirusTotal link and I detected no drive-by malware from visiting the site itself through a VPN. But I found it shocking that nothing on VirusTotal detected the link.

Anyone care to test more AV software?
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Good catch!

I tested the link on AnyRun and in Opera it didn't open at all, but in Chrome it connected to a site and page I recalled seen somewhere before.
 

MacDefender

Level 12
Verified
Pls take care of your email address..it is not a good thing to receive things like this..considering the age of the host ..might be you are in top 10 list to receive this.
Hope u haven't clicked or downloaded any suspicious attachment / links like that. Disasters are beyond imagination.

Yeah I took a look at the header, it was delivered to one of my open source aliases -- 10 years ago I was a pretty prominent open source figure with a well publicized email address.

And indeed, I took several precautions when analyzing this link. It was also embedded in a PDF which could've been an exploit vector in and of itself.

Just for clarity, I was aware from the beginning that this was a phishing link. I was just curious how well the various browsing protection software out there would guard against this if I pretended to be dumb and fall into the phishing trap. It was surprising to me that the only 3 products that detected it were arguably enterprise-only.
 

MacDefender

Level 12
Verified
Adding Bitdefender, Malwarebytes, ESET to this list.
Wow! So at this point it's probably like over 90% of the installed base of antimalware software that don't see something wrong.

The site itself has typos, appears pixelated (screen shots based) on my 4K display, and has a lot of "Apple" links that go to long suspicious URLs. I think we talked about some products (G DATA?) investing in machine learning / AI to recognize phishing, but that seems like it should be the right approach to detect stuff like this.

I think most of us as malware enthusiasts, we can take one look at the website and laugh about how it obviously looks fake. It seems like it should be possible to teach a browser plugin the same thing!
 
Top