Below screenshot states that the base url firebasestorage.googleapis.com comes under content delivery network and the sub Url comes under phishing where customer wants to know why they were not blocking by the firewall. Also while im checking with the Virsutotal the below urls have been mentioned as phishing. I just wanted to know how to take forward with this. By creating a deny rule on url category or kindly need you assistance here.
urlcategory1
.png
Download PNG • 14KB
urlcategory
.png
Download PNG • 90KB
thanks in advance
hi Vijaya
firebasestorage.googleapis.com is not a phishing site, it is a application development platform owned and operated by google, but users have been abusing the app-development capabilities by creating nefarious apps and storing credentials gathered from phishing campaigns. The main FQDN itself is safe, the lengthy URL you provided in the screenshot is a subsection (users pace) where this 'abuse' has taken place and that seems to be getting categorized properly
as such, the main site should not necessarily be blocked as it hosts countless 'good' applications
hope this helps
Tom
Hi Tom,
Thanks for the inputs.. So how shall i proceed to block that specific lengthy url on the firewall
Needed some inputs on that as well.
So shall i use a url category for the lengthy one without decryption or do we need decryption for that to be blocked. Kindly provide me with other possible means to rectify this issue.
thanks and regards,
Vijay
you will need ssl decryption to detect it, without decyption you will only be able to see the FQDN. the lengthy one you posted is already identified as phishing, so will be blocked as long as you have decrypted the session. any 'new' instances should hopefully be picked up by also applying WildFire and dynamic URL lookups. you could subscribe to external services like spamhaus and cofense and ingest their lists as well, for extra coverage
Hi Team, I just want to know whether this specific urls are phishing or not and how to take it forward. Like blocking the url using url category with decryption enabled? could that be a solution for all type of email phishing as well?
I mean if we enable decryption the sub url could be visible and the verdit for the urls can be checked with wildfire for signatures. So is this could be a solution for preventing from further links entering organization.
Regards
for best coverage and least false positives/negatives you should enable ssl decryption. on top of url filtering you should also leverage WildFire and DNS security, combining those 3 will give you far greater coverage. you cn also ingest external threat feeds through MineMeld, and you could look into credential detection (sub tab in URL filtering) to prevent credentials from being shared
@Reaper thanks for the inputs buddy much appriciated..