Google user
Original Poster
Feb 17, 2022
Hoping for advice to clear up Deceptive/Harmful site warnings in possibly a unique situation
Around December 1st we did a major cleanup (across tens of thousands of subdomains that we host). To the best of our knowledge, we've ridded all of our subdomains' contents that resembled the 2021 incidents.
We requested a review that indicated "Review successful for [domain name]" and that the harmful site warnings would be removed on Feb 13th. That was great to see after the cleanup efforts.
However, shortly after this on Feb 13th (and again today) before any deceptive warnings cleared up we received false positives "harmful content". The thing is these new harmful content warnings are triggering on pages on our site that lets customers log in to administrate their online stores (or lets their own customers log into their stores).
We're a site that lets people create online stores easily so it was a natural target for people trying to do malicious phishing campaigns. Hoping to resolve this without hitting "Request Review" too many times because I've read that it can complicate the process.
We've written special tools to detect and mitigate attacks of a similar nature (arbitrary script tags) in the future.
Informational notification.
This question is locked and replying has been disabled.
Community content may not be verified or up-to-date. Learn more.
All Replies (5)
Google user
Original Poster
Feb 25, 2022
https://309h30651991201.3dcartstores.com/
It's a totally blank slate that hasn't been customized yet, but it seems all of our subdomains are automatic warnings.
Feb 25, 2022
I'd check support of the cart you are using.
https://www.3dcartstores.com/ says "The Page You're Looking for is No Longer Active"
The url may have changed. Check set up to be sure only 301 redirects are used.
My site or software is marked dangerous or suspicious
- Site owner:
- If you own a site marked as dangerous or deceptive: Follow the instructions to fix the problem and request a review.
- If you own a site that has been marked with a ‘Did you mean’, ‘Is this the right site’ or ‘Fake site ahead’ warning: Follow the instructions to fix the problem and request a review.
- Software owner:
- If you're a software publisher and Chrome flags your downloads: Find out how to resolve malware issues with your downloads.
Last edited Feb 25, 2022
Google user
Original Poster
Feb 28, 2022
If, for example, you were to try and sign up for a Shift4Shop, until you configure a customized domain for the store that you just created it still gets assigned a rather random-looking subdomain under the 3dcartstores.com domain (For legacy reasons. This would eventually be a shift4shops.com or similar domain name as these get migrated).
We have tens of thousands of these subdomains for stores that have been registered, whether the creator ever chose to configure and Go Live with their store or not.
We received another "Review successful for 3dcartstores.com" notice that indicates the deceptive classification would clear up soon. This notice was on Feb 26th. But then another alert came in on Feb 28th after this indicating "Social engineering content detected".
However this latest alert for social engineering content does not provide us with any sample URLs.
Over the weekend we crawled all of our web stores' index pages and we have a spreadsheet containing every single external iframe, script, and meta-refresh URL. The moment we know what markup or external references are malicious we now have data that can tie us back to any other stores containing this.
Additionally one of our web security scanning vendors (Qualys WAS) indicated that it would be hard for them to detect this for us given the arbitrary string nature of any given phishing campaign. We're hoping that the data collected could lead us to undiscovered store URLs that are not legitimate but we have cleaned up the domain to the best of our knowledge thus far.
Last edited Feb 28, 2022
Google user
Original Poster
Mar 1, 2022
Last edited Mar 1, 2022