www.tyrexinc.com

Post Reply
SeanW
Posts: 119
Joined: Wed Nov 19, 2008 12:44 am

www.tyrexinc.com

Post by SeanW » Wed Dec 22, 2010 6:59 pm

Ok, I need some help with this. From time to time I have seen websites that are primarily legitimate, but where hackers will compromise the site and drop in a subfolder containing webpages that serve as a phishing scam.

In all cases where I encounter this, there is always a good site at the root of a subfolder tree containing a phishing scam, e.g:
www.legitimatecompany.com/phishingscam/GimmeYourLogin

One such case I encountered today and here is the sequence of events.
  1. I check my email, find a phishing scam for Bank Of America, open it, follow the link, get to a page on tyrexinc.com/... something.
  2. Clicking the link verified my first suspicion that it is a phish, but the URL raises the prospect that it was a good site compromised to host the scam.
  3. Further investigation suggests strongly that Tyrex Inc is legitmate and my succeeding suspicions were also accurate.
  4. I contacted their company's support email indicating what had happened and suggested they remove the folder and tighten security.
  5. A few hours later the phishing pages are gone, so I turn my attention to the site's WOT rating where I place a green mark+comment.
So I would ask my fellow reviewers to help make WOTs rating reflect the updated situation by marking the site safe, preceded of course by whatever investigations you consider appropriate.

Thanks In Advance
- Sean

Guest

Reasoning

Post by Guest » Wed Dec 22, 2010 8:40 pm

@ SeanW,

Your reasoning seems sound, but you made a couple of leaps there. Did you run a Google Safe Browsing check on Tyrexinc.com?

SeanW
Posts: 119
Joined: Wed Nov 19, 2008 12:44 am

RE: Reasoning

Post by SeanW » Wed Dec 22, 2010 9:44 pm

I use FireFox so I get those Google warnings of reported phishes and attack pages. At least I think they're from Google.

When I first viewed the site and the phish page, I got that red-on-gray warning page and clicked "Ignore"

Now, when I visit the domain I no longer get the warning.

That having been said, I could probably use some advice on how to check manually. Please also feel free to elaborate where I "made a couple of leaps," if I missed something important in my (cursory) investigation I would like to know.

c۞g
Posts: 21225
Joined: Mon Jan 05, 2009 4:02 am

RE: www.tyrexinc.com

Post by c۞g » Wed Dec 22, 2010 9:55 pm

In the mean time...
Other sources may catch the Phishing URL such as PhishTank, which is also a trusted source in WOT, If PT includes the domain into their database, WOT' site scorecard will reference it.

There is also Clean-MX, for example, that may catch it as well, along with Firefox and/or OpenDNS.
Normally, when I rate a compromised site for Phishing or Malware, my ratings remain until, someone (domain owner, WOT user, etc) alerts me. I'll then check my reference and verify that the source is no longer available, I also check for new occurances and if found ratings remain.

From experience, there is much more time than a "few hours" that go by once a site is compromised to when the problem is resolved...

Guest

Assumptions

Post by Guest » Wed Dec 22, 2010 11:19 pm

@ SeanW,

"also feel free to elaborate where I "made a couple of leaps," if I missed something important in my (cursory) investigation I would like to know."
It's not that you "missed something", it's more that you made some assumptions which could only be verified by manual checking, as you've realized.

Are they reasonable assumptions . . . probably. I'm using "leap" to mean "assumption". Had I said "outrageous leaps", maybe that would have been out of the realm of assumptions. But they are assumptions nonetheless. My main concern is that some certain individuals will take your assumptions as "gospel" and downrate with no further due diligence.

Are your assumptions red flags? Yes, and they indicate the need for scrutiny.

Now, let me specify what I saw as assumptions.

"Clicking the link verified my first suspicion that it is a phish, but the URL raises the prospect that it was a good site compromised to host the scam."
You used the word "suspicion", which as far as I understand it means it's an assumption. You also said "raises the prospect", which again indicates an assumption.

At this point I'll repeat: Were they reasonable assumptions? Probably. Are they red flags that call for further scrutiny? Definitely.

Will they prompt some individuals to rate based only on those assumptions? Unfortunately, they probably will.

"Further investigation suggests"
Another assumption. Reasonable? Probably, but an assumption nevertheless.

And there's definitely a "cause and effect" assumption (and these can be shaky) between your 4. and 5. items.

Plus you said that you marked the site green, and it seems you did so based on these assumptions alone. It may very well be safe, and for the reasons that you assumed, but since you've probably achieved some regard as a rater, others may be tempted to follow your lead, and their ratings would likely be based on those same assumptions ONLY.

Had you not made the comment about rating, I probably wouldn't be any more concerned about an assumption that leads to more scrutiny . . . which I'm never concerned about at all, and I think it's good to show that there's good cause for "suspicion". But the fact that you mentioned you rated, and implied that rating was connected to the assumptions, is what concerns me about those "leaps" (especially the one between 4 and 5).

Post Reply

Who is online

Users browsing this forum: Exabot [Bot] and 4 guests