False Positive | shorten.tv shorten.so shorten.world centi.ai

[megaworldai]

What are the subjects of the false-positive (domains, URLs, or IPs)?

• shorten.tv
• shorten.so
• shorten.world
• centi.ai

Why do you believe this is a false-positive?

I believe this is a false-positive because:

We are SHORTEN WORLD at https://shortenworld.com/ who doing URL Shortener service (this is one of our domains to do shorten links)

This domain name itself has no content at all, it just redirects URL 301

Beside our team always clean up violated links daily

Please help us to check to whitelist our domain names

Thank you very much!

Best Regards,

How did you discover this false-positive(s)?

VirusTotal

Where did you find this false-positive if not listed above?

I discovered this false-positive by scanning daily our domain names

Have you requested a review from other sources?

I have requested a review from: alphaMountain.ai, Antiy-AVL

Do you have a screenshot?

No response

Additional Information or Context

No response

[spirillen]

dataset extraction

wget -qO- 'https://phish.co.za/latest/ALL-phishing-links.lst' | grep -iE 'shorten\.(tv|so|world)|centi\.ai'
https://centi.ai/@metasupportads
https://centi.ai/@metasupportbusiness
https://centi.ai/@metasupportcase?id=/29012
https://centi.ai/@metasupportpage3?case?id=/43562
https://centi.ai/@pagecase2?http?id=69987
https://centi.ai/@pagehelp02?case?id=/55416
https://centi.ai/@pagehelp03?case?id=/775278
https://centi.ai/@pagehelp04?case?id=/65753
https://centi.ai/@pagehelp05?case?id=/27947
https://centi.ai/@pagehelp12?case?id=/22141
https://centi.ai/@pagehelp15?case?id=/74284
https://centi.ai/@pagehelp16?case?id=/45541
https://centi.ai/@pagehelp18?wet?id/45146&fbclid=IwZXh0bgNhZW0CMTAAAR0Lbt4JPqk0xelnekPblfM0KB3sqpFrcAWnspWVGSyq_m6E8eV7GoVltcY_aem_lb-PB_SsmiGavo7yPz6dmg
https://centi.ai/@pagehelp24?case?id=/26227
https://centi.ai/@pagehelp6
https://centi.ai/@pagehelp7?case?id=/29786
https://centi.ai/@pagehelpcase?id=/18810
https://centi.ai/@regulations
https://centi.ai/@restore?connect?id=/95400
https://centi.ai/@supportpage?case?id=/38425
https://shorten.so/MetaBusinessSupport
https://shorten.so/metaplatform
https://shorten.tv/@helpcontact854939854?fbclid=IwZXh0bgNhZW0CMTAAAR0AlBWT8tz2ATnLxZarfLrJKfzX-PTT2xLYu__SILtfzriXSPrd_VaQ_ec_aem_RKx-cZnVIEeJshcNUM3bDw
https://shorten.tv/MetaBusinessGuidance
https://shorten.tv/@servicesolutionssuppor
https://shorten.tv/@servicesolutionssupporid01001893256
https://shorten.tv/@urqo6
https://shorten.world/b-fUn

https://centi.ai/@metasupportads

Nasty js scripts

Unresponsive URI's

Before these domains are made public, so we can access them; we are unable to complete this request

https://shorten.so/MetaBusinessSupport
https://shorten.so/metaplatform

Verdict

The rest of the addresses are returning 404.

Comment

I do beilieve these should be added to a cleaning up list, rather than a whitelist.

Relates to

• False Positive | go.skimlinks.com #969 (comment)
• Phishing | t.me phishing#590
• Update rules.py with scnv.io funilrys/PyFunceble#412 (comment)
• False Positive | scnv.io #971
• False Positive | beacons.ai #970

[megaworldai]

Thank you so much!

All those links we deleted recently by our antivirus detection automatically (by using api from: phishtank, virustotal)

We only see this url still active https://shorten.world/b-fUn but we have removed them after your message already

The Nasty js scripts is just advertising network from 3rd party, not phishing contents

These URLs we also removed by our antivirus detection automatically, you could not access I think the operator network blocked domain name, you could use proxy, vpn to check:
https://shorten.so/MetaBusinessSupport
https://shorten.so/metaplatform

Please help to whitelist them, thank you so much!

[spirillen]

The Nasty js scripts is just advertising network from 3rd party, not phishing contents

Well, to me that is the also the second nasty thing you show me, only overcomes by dish washing...

I think the operator network blocked domain name, you could use proxy, vpn to check:

I always and only use Tor/VM for unknown site, and every other spying site like Github, Alphabet etc.

Still, not public accessible. You'll have to wait for other, who have access to the walled garden.

The walled Garden are 100% firewalled, and they love censoring the internet and protect CP, Phishing, Malicioud PuP's etc.
Tor network rules, it's (almost) endless freedom

[g0d33p3rsec]

You'll have to wait for other, who have access to the walled garden.

The only URI I see on urlscan is from September 26th 2024, https://shorten.so/metaplatform
https://urlscan.io/result/50b1345b-78b6-4d53-8cc6-228fc850de82/

It appears it was removed within 24 hours.
https://urlscan.io/result/b94acbd8-325b-47e0-8aa4-b3152885831d/

@sprillen all other links are returning either a 200 with an internal "Page not found" or a proper 404. Example:
https://urlscan.io/result/a8c84307-aa75-47fa-b471-6b3f06e991ae

[g0d33p3rsec]

I do beilieve these should be added to a cleaning up list, rather than a whitelist.

I added the WIP label for the time being

[spirillen]

I will not add these url_shotners to any whitelists. They are high targets for attackers of any kind, and you newer know where the F you end up. If they then just have a lookup tool on their front page, allowing standard users to lookup at first, made API that could be implanted in browser add-ons; then I might be in a better mode for this.

My advise will be to @megaworldai make your sides return a proper HTTP code that is unique for no longer active urls and I personally makes the special rule to @PyFunceble to have your links removed.

Your best choice should be the HTTP code 410 (Gone)

Indicates that the resource requested was previously in use but is no longer available and will not be available again. This should be used when a resource has been intentionally removed and the resource should be purged. Upon receiving a 410 status code, the client should not request the resource in the future. Clients such as search engines should remove the resource from their indices. Most use cases do not require clients and search engines to purge the resource, and a "404 Not Found" may be used instead.
source: https://en.wikipedia.org/wiki/List_of_HTTP_status_codes

[spirillen]

Appendix note

I don't know if you already have it, but if not, why not add a grace period for new signups... Other url_shortners have done this by suggestion. Phishing-Database/phishing#356 (comment)

[funilrys]

AFAIK, we are whitelisting URL shortener already. @megaworldai if you can be listed in @PeterDaveHello's list https://github.com/PeterDaveHello/url-shorteners/ , it will be removed automatically from our project.

[funilrys]

++ Adding @PeterDaveHello for possible follow-up.

[megaworldai]

AFAIK, we are whitelisting URL shortener already. @megaworldai if you can be listed in @PeterDaveHello's list https://github.com/PeterDaveHello/url-shorteners/ , it will be removed automatically from our project.

Thank you so much! I am requesting

[megaworldai]

Hello @PeterDaveHello, could you help to whitelist our domain names URL Shortener please. We requested since 3 weeks ago but still not be added yet

Many thanks!

[PeterDaveHello]

@megaworldai Please send a pull request with clear evidence so I can merge it ASAP.

[phishing-database-bot]

Closing.

Domain(s) or IP(s) not found in the Phishing.Database project: shorten.tv, shortenworld.com, shorten.so, centi.ai, shorten.world.

-- We appreciate your help in refining this. Please let us know if anything seems incorrect.