Skip to content

[FALSE-POSITIVE] key2stats.com - Legitimate K-12 education platform #2006

Closed
Closed
[FALSE-POSITIVE] key2stats.com - Legitimate K-12 education platform#2006
Labels
bot:check-false-positiveInforms our bots that they should check for the possible false-positive.bot:check-staleInforms our bots that they should check for possible stale.bot:verify-dnsInforms our bots that they should check for the DNS verification.false-positive-reportA False-Positive report that has to be verified.
@33sigma

Description

@33sigma
33sigma
opened on Mar 12, 2026

What are the subjects of the false-positive (domains, URLs, or IPs)?

key2stats.com

Flagged URL:

https://key2stats.com/frontend/web/assets/c9976024/themes/ui-darkness/images/tree/wtff/?email=eticka.linija@t.ht.hr

Why do you believe this is a false-positive?

key2stats.com is a legitimate educational technology (EdTech) platform for K-12 statistics education, used by teachers and students at Boston Public Schools and other districts.

The flagged URL path /frontend/web/assets/c9976024/themes/ui-darkness/images/tree/wtff/ is not and has never been a phishing page:

  • /frontend/web/assets/c9976024/ — Yii2 PHP framework auto-generated asset hash directory from a past deployment (no longer exists)
  • themes/ui-darkness/ — Standard jQuery UI theme (open-source UI library)
  • images/tree/ — Treeview widget icon directory from jQuery UI
  • wtff/ — This path never existed as intentional content. It was appended by a phishing probe or vulnerability scanner.

The full URL returns HTTP 404 (Not Found). No content is served at this path. The ?email= parameter was never processed by our application here.

How did you discover this false-positive(s)?

The domain was blocked by iboss (school district web content filter) at Boston Public Schools, preventing students and teachers from accessing their learning platform during class. Investigation traced the block to this Phishing.Database listing.

Where did you find this false-positive if not listed above?

This false positive has cascaded to multiple downstream security vendors:

  • Avira — flags key2stats.com
  • Fortinet / FortiGuard — flags key2stats.com
  • Norton SafeWeb — flags key2stats.com as "WARNING - known dangerous webpage"
  • iboss (school content filter) — blocks key2stats.com based on upstream feeds

Have you requested a review from other sources?

Yes — reviews submitted to Avira, Fortinet/FortiGuard, Norton SafeWeb, and BrightCloud/Webroot.

Do you have a screenshot?

N/A — the flagged URL returns a 404 page. There is no phishing content to screenshot.

Additional Information or Context

  • Domain owner: Key2Stats LLC — educational technology company
  • Platform purpose: Interactive statistics education for K-12 students and teachers
  • Infrastructure: Hosted behind Cloudflare with comprehensive security headers (HSTS, CSP, X-Frame-Options, etc.)
  • Framework: Yii2 PHP — the flagged path is a framework artifact, not user-created content
  • Google Safe Browsing: Clean — no unsafe content found
  • Impact: Students at Boston Public Schools are currently unable to access their learning platform

Metadata

Metadata

Assignees

No one assigned

    Labels

    bot:check-false-positiveInforms our bots that they should check for the possible false-positive.bot:check-staleInforms our bots that they should check for possible stale.bot:verify-dnsInforms our bots that they should check for the DNS verification.false-positive-reportA False-Positive report that has to be verified.

    Type

    No type

    Projects

    Phishing Database Backlog

    Status

    ✅ Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions