How it started
At the beginning of June, 2022 we got our first report related to this problem, from one of our customers.
According to the report, when they were accessing their website, they would see the dreaded "Deceptive site ahead" warning:
What does "Deceptive Site Ahead" actually means?
Since we were not familiar with this browser warning, we started researching what it means and what can cause it.
We learnt that in order to protect their web users, Google, via their Safe Browsing platform, keeps a list with websites that are potentially dangerous for users to visit. Any website in this list will show the above warning when visited.
Armed with this knowledge, we instructed our customer to run checks on their website to make sure it was not compromised and then, when ready,
submit their website to be de-listed, which would make this warning go away.
We thought this is an isolated case and we can move on. We were wrong!
We experienced the problem on our own testing websites
A few days later, while testing a MailWizz feature, which involved reading the correct client IP address when MailWizz runs behind a reverse proxy,
we decided to use Cloudflare for one of our test instances, to make sure the feature works properly.
This worked well for us for the first few days, but then, out of a sudden, we were getting the same browser warning as our customer, "Deceptive site ahead".
Since our testing instances were fresh instances, newly created, we knew they were clean, so we considered this to be a false positive,
and we simply requested our testing website to be de-listed, which it had, in a very timely manner.
This was our second mistake. We should have pushed more and investigate this further.
A calm period, but not for long...
Things were calm for a while, then the reports started again, this time, more and more customers complained about the browser warning.
We even had customers accusing this issue was triggered by MailWizz directly. That was harsh.
As a result of this issue, our sales started to be affected as well, so things were not looking good.
At this point, all we could do, was to instruct our customers to run checks on their affected websites and make sure they are clean and then request de-listing.
In parallel, our investigation continued and while trying to find a common denominator between all customers, we asked them where they are hosted, what services they use and so on.
Some of our customers reported they were using Cloudflare, which hit home for us.
Could it be that our test instance wasn't getting a false positive after all?
Could using Cloudflare be part of the problem?
Using checkphish.ai we tested our customers domains which were using Cloudflare, and fair enough, we got back
reports that those IP addresses were used for phishing in the past.
Our understanding is that Cloudflare uses same IP addresses for all their customers, or for most of them, and if one of these IP addresses gets reported for fraudulent activities because of one of their customers, and it gets listed in the Safe Browsing list, then all the customers using that IP address will have their websites show the "Deceptive site ahead" warning.
This is not a hard statement, it is just our conclusion after we completed our research.
Fixing the problem
There is not much we could have done in our end except writing a very detailed KB article explaining the problem,
advising our customers to check their websites and then have them ask for de-listing.
The general issue has gone away as it came, it's been a few days since we received our last report related to the issue.
We are not sure if this has been fixed thanks to our customers actions, or maybe Cloudflare took actions on their end.
In conclusion, while most articles you will find about this issue, will tell you the problem is a hacked website, this might be just half of the answer,
the other half being that your website is hosted on a network that has (had) problems with fraudulent activities, caused by their customers, which in turn lead to their IP addresses being listed. We're here to help, please contact us and we will do our best to answer your questions as soon as possible.
This is why you should always check the history of your domain names and IP addresses when you acquire them.
Do you have questions?
We're here to help, please contact us and we will do our best to answer your questions as soon as possible.