False Positive | 1inch-io-app.pages.dev

[NikitaVr]

What are the subjects of the false-positive (domains, URLs, or IPs)?

• http://1inch-io-app.pages.dev

Why do you believe this is a false-positive?

This site belongs to the company https://1inch.io/

I am the co-founder of ChainPatrol, a Brand-Protection provider in the Web3 Space. We work directly with the 1inch team and recently detected this false positive across many security vendors on Virus Total. We are currently working to have this domain removed off many blocklists, and have already successfully done so with many other providers.

How did you discover this false-positive(s)?

VirusTotal

Where did you find this false-positive if not listed above?

I discovered this false-positive by...

Have you requested a review from other sources?

Yes, we have requested reviews from all providers flagging on Virus Total and are making progress.

Do you have a screenshot?

Additional Information or Context

No response

[phishing-database-bot]

Verification Required

@NikitaVr, thank you for submitting a false positive report! To help us verify your ownership of the affected domain(s), please complete the following steps:

1. Set a DNS TXT record for the domain(s) listed in this issue with the following details:

   • Record Name: _phishingdb
   • Record Value: antiphish-a5823e5165f7c8295128a2e7e7a4439d88fc0f0d

   Your Verification ID: antiphish-a5823e5165f7c8295128a2e7e7a4439d88fc0f0d

2. Wait for DNS propagation (this may take a few minutes to a few hours).

3. Reply to this issue once the TXT record has been set.

Important Notes

• Verification does not guarantee whitelisting. The Phishing.Database team will review your report after verifying ownership, but the decision to whitelist depends on further investigation and analysis.
• If the record cannot be set or you need alternative methods of verification, please contact us at [email protected] - preferably from the domain's official email address.

How to Check the TXT Record ?

You can verify that the TXT record is properly set using:

• Online tools like Google's Dig Tool or MXToolBox TXT Lookup.
• The command line:

  dig TXT _phishingdb.example.com
  

Thank you for your cooperation! We will address your issue as soon as possible after verification.

The Phishing.Database Project Team.

[emidaniel]

See https://x.com/Phish_Destroy/status/1876342947966578765?mx=2
Phishtank entry is marked offline now. https://www.phishtank.com/phish_detail.php?phish_id=8930092

It's not referenced as legitimate on the official site (1inch.io).
My question is, how in the world is the end user supposed to verify the authenticity of a page hosted on a *.pages.dev domain? And if it's not supposed to be used by the general public, why not make it inaccessible and move it somewhere else to a legitimately looking domain?

Are these by a chance also legitimate?
http://1inch-io-stage-app-euc1.s3-website.eu-central-1.amazonaws.com/index.html
http://staging-app.1inch.io.s3-website-us-west-1.amazonaws.com/

Basically, CF workers (or any other trash domain) + "connect wallet" interface = red rag to any detection engine. I think you'll continue getting FPs like this from time to time.

[spirillen]

Just for fun and backing up @emidaniel statement...

here is the lists of pages.dev phishing records, all 24903 of them...

when tried to publish the list...

There was a problem saving your comment. Your comment is too long (maximum is 65536 characters). Please try again.

[g0d33p3rsec]

when tried to publish the list...

There was a problem saving your comment. Your comment is too long (maximum is 65536 characters). Please try again.

Here are a few related PR's Phishing-Database/phishing#423 Phishing-Database/phishing#431 Phishing-Database/phishing#448 Phishing-Database/phishing#442