Suspicious connections to weird website from 2 devices.

Hi,

Both yesterday and today i've received notifications about a blocked connection on my PC related to a website called "ponf.linkedin.com".

After looking it up via virustotal and other search websites it came up as a service for cameras (weird) but this started about 21 hours ago after someone else in my family was using MS teams if thats somehow related to this, I got a notification again today that firefox.exe tried to connect to said website but the certificate for it was expired.

Does anyone have any idea why this would be and if I should be concerned about both if not the entire network being compromised? thanks.

Tagged:

Answers

  • Gjoksi
    Gjoksi DEFENDER OF THE YEAR 2022 / DEFENDER OF THE MONTH ✭✭✭✭✭

    Hello.

    You might be a victim of adware, so do the following:

    1) Start your PC in Safe Mode, by following these steps:

    https://support.microsoft.com/en-us/windows/start-your-pc-in-safe-mode-in-windows-92c27cff-db89-8644-1ce4-b3e5e56fe234

    2) Open the Run command:

    https://www.makeuseof.com/windows-open-run-command-dialog-box/

    and run the below commands one by one:

    temp - delete all the folders/files in the folder

    %temp% - delete all the folders/files in the folder

    prefetch - delete all the folders/files in the folder

    3) Restart your PC in General Mode, by following these steps:

    https://www.techwalla.com/articles/how-to-restart-a-computer-in-normal-mode

    4) Reset/Refresh your browsers:

    Google Chrome - https://support.google.com/chrome/answer/3296214?hl=en

    Mozilla Firefox - https://support.mozilla.org/en-US/kb/refresh-firefox-reset-add-ons-and-settings

    Microsoft Edge - https://malwaretips.com/blogs/reset-microsoft-edge/

    Opera - https://browsersolution.com/reset-opera-browser

    Vivaldi - https://help.vivaldi.com/desktop/install-update/full-reset-of-vivaldi/

    Brave - https://support.brave.com/hc/en-us/articles/360017903152-How-do-I-reset-Brave-settings-to-default-

    5) Run a System Scan with your Bitdefender program.

    6) Restart your PC.

    7) Scan (and disinfect, if needed) your PC with Bitdefender Rescue Environment:

    https://www.bitdefender.com/consumer/support/answer/29132/

    8) Restart your PC.

    9) If the steps provided above didn't help, do the following steps:

    Take screenshot(s) of the issue,

    create a log file on your Windows device using Bitdefender Support Tool, by following these steps:

    https://www.bitdefender.com/consumer/support/answer/1733/

    and

    create a log file on your Windows device using BDsysLog, by following these steps:

    https://www.bitdefender.com/consumer/support/answer/1922/

    Next, contact Bitdefender Consumer Support by e-mail:

    https://www.bitdefender.com/consumer/support/help/

    with short description of the issue.

    After that, you will get an automated reply by the Bitdefender Customer Care Team, with your ticket number.

    Now, in reply to that automated reply, you can send the screenshot(s) you already took and the log files you already created in the first step.

    Since you are all done, just wait for the support engineers to investigate your issue and find a solution to fix the issue.

    Remember that the screenshot(s) and the log files will help a lot to the support engineers for better and faster investigation on your issue and finding a solution.

    NOTE: If any of the log file is larger than 25MB, you can upload the log file here:

    https://upload.bitdefender.net/

    After the upload is done, you will get a notification with the file's URL and then you can share the file's URL with the Bitdefender Consumer Support.

    Regards.

  • Yorman
    edited February 23

    Thanks Gjoksi,

    I just reinstalled windows 11 on my main PC and did what you recommended on the laptop and it seems to have done the job, thanks for the info.

    If it comes up again i'll probably open an ticket or return with another post.

    Its weird because I haven't done anything out of the ordinary, this just happened out of nowhere but maybe it was some program making a call to that website for all I know.

    Cheers!

  • Yorman
    edited February 23

    So it appeared again with 2 exact same warnings that firefox.exe blocked the website because of an expired certificate when nothing came up, no warning or even said website physically loading on firefox as it just happened in the background.


  • Gjoksi
    Gjoksi DEFENDER OF THE YEAR 2022 / DEFENDER OF THE MONTH ✭✭✭✭✭

    Hello again.

    Do the steps below.

    First, take screenshot(s) of the issue,

    create a log file on your Windows device using Bitdefender Support Tool, by following these steps:

    and

    create a log file on your Windows device using BDsysLog, by following these steps:

    Next, contact Bitdefender Consumer Support by e-mail:

    with short description of the issue.

    After that, you will get an automated reply by the Bitdefender Customer Care Team, with your ticket number.

    Now, in reply to that automated reply, you can send the screenshot(s) you already took and the log files you already created in the first step.

    Since you are all done, just wait for the support engineers to investigate your issue and find a solution to fix the issue.

    Remember that the screenshot(s) and the log files will help a lot to the support engineers for better and faster investigation on your issue and finding a solution.

    NOTE: If any of the log file is larger than 25MB, you can upload the log file here:

    After the upload is done, you will get a notification with the file's URL and then you can share the file's URL with the Bitdefender Consumer Support.

    Regards.

  • Timothy M.
    edited February 23

    Made a forum account just so I could pop in and say that I'm experiencing the same thing, only on LinkedIn itself. I also got an alert from Bitdefender saying that there had been a data breach (or rather a data scraping) for ponf.linkedin.com. I've done multiple full scans with Bitdefender and it's finding nothing, and the URL isn't getting flagged by anyone on VirusTotal either so I don't think it's adware.

    @Alexandru_BD Is this something you'd be able to investigate?

    Edit:

    Okay, I take that back about VirusTotal not detecting anything. Check this out: https://www.virustotal.com/gui/domain/ponf.linkedin.com/detection

    Even still, I do think that this is probably a legit URL and the cert just expired and that's why it's being flagged, but I'm not a cybersecurity expert so take my opinion with a grain of salt. Hopefully we'll see what Alexandru says.

  • Yorman
    edited February 23

    @Timothy M.

    Thanks for the contribution because I literally made an account just for this, I did also bring it up on virustotal as mentioned at the beginning of my post.

    It is weird because I have no idea why it would try to connect to it and why it'd do it on 2 different devices randomly, I did what Gjoksi above suggested and it seems to have gotten rid of it on the laptop while also seemingly managing to get rid of it on my PC initially, I managed to replicate the behaviour by resetting firefox then re-opening it and it made the connection to the website.

    I eventually ended up erasing all of my browsing history (which did include linkedin because I use it for work) and then trying to replicate the issue to seemingly no avail as if that somehow had any connections to it.

    The certificate indeed has expired as I did go to the website and all it came up with was an 404 error but why this began in the first place no idea, hopefully the person you tagged can tell us more.

    Thanks.

    (Edit):

    So this definetely has something to do with linkedin, the moment I opened the official linkedin website bitdefender immediately triggered that firefox again tried to connect to ponf.linkedin.com, i'm starting to feel it might have something to do with a data breach that happened I believe 2 days ago on reading up on it so this seems like its a benign issue but i'm not totally sure, would be nice for someone who has proper knowledge on this to chime in.

  • Hello @Timothy M. @Yorman,

    The site is indeed blocked by Bitdefender for expired certificates and this is the expected behavior as Online Threat Prevention kicks in, but if an automatic connection is attempted from your PC that Bitdefender blocks, it is possible that you have some form of adware on the device and the below steps should help:

    Regards,

    Alex

    Premium Security & Bitdefender Endpoint Security Tools user

  • Timothy M.
    edited February 26

    Hey @Alexandru_BD, good to hear from you.

    What do you mean by "automatic connection"? Do you mean like how when Yorman said the notifications came up when they didn't even have Firefox or LinkedIn open? For me, the notification only happens when I go to LinkedIn, and as soon as I leave the website it stops. I have uBlock Origin installed as well. Plus wouldn't Bitdfender detect any adware in a full system scan? I've done several and they found nothing.@Alexandru_BD

  • By that I mean a browser redirect, yes. Bitdefender cannot take any direct measures here and usually a scan won't reveal anything, because technically, these redirects do not have anything malicious attached to them, but when you click on them, they may redirect to malicious sites that try to collect data or install abusive or dangerous software, and that's when the defenses kick in.

    When it comes to browser redirects, these usually have to do with some form of adware that you agreed on or something you enabled, like site setting, site notification, redirects in your browser or installed toolbars, extensions or applications. A browser reset and removing unwanted extensions from it should be enough in most adware cases, but if the website certificate is expired or unmatching and you are accessing that page, the detection will persist. The only way to suppress such notifications would be to disable the Encrypted Web Scan feature, but this is not a recommended action.

    Regards,

    Alex

    Premium Security & Bitdefender Endpoint Security Tools user

  • Yorman
    edited February 28

    @Alexandru_BD

    In my situation I didn't have anything remotely close to "adware" or anything like site permissions enabled to be redirected, it came out of the blue one day as I mentioned and it persisted especially when opening linkedin as if it was tied to that itself, the only way I got this to stop was to reset the settings on firefox and delete linkedin off of my browsing history which stopped the attempts to connect to that website with the expired cert.

    It was a weird experience to say the least but it stopped and I have all the necessary safeguards on my devices (like having bitdefender) so i'm thinking it was a weird one off thing that happened to me and @Timothy M.

    Thanks for the reply however, have a good day!

  • I understand. Most probably it was linked with.. linkedIN. 😄

    And yes, usually a browser reset helps. Glad to hear it has been resolved.

    Regards,

    Alex

    Premium Security & Bitdefender Endpoint Security Tools user

  • Timothy M.
    edited February 28

    @Alexandru_BD @Yorman

    Hey Yorman, is the issue actually resolved for you? I went and checked LinkedIn again and I'm still getting the notification that the cert is still expired. I've gotten into the habit of clearing my entire browsing history (including all cookies and the cache) when I finish using the Internet. I haven't installed anything new, I haven't agreed to any site setting changes, I haven't downloaded anything, I haven't gotten any weird redirects, etc. so I don't know how I could have gotten adware. The only extension I have is uBlock Origin and I installed that a while ago. I'm about to use the reset option in Chrome to see if that fixes it, and I'll report back.

    (EDIT):

    Alright, even after a browser reset and computer restart the issue still persists. I even visited LinkedIn without uBlock Origin and the issue was still persisting (Had an issue happen in the past with a scareware "Trojan" where nothing was being executed or caught by my at-the-time different security software until I disabled uBlock, so I was curious if that would do anything), but I've had no requests to changed browser settings, haven't gotten a prompt to download anything, didn't get any weird redirects, etc. I really think this is just an issue on LinkedIn's end and it's just a matter of waiting for them or Microsoft to renew the cert. (Found out recently that they're owned by MS, but I'm not sure who would be in charge of this).

    By the way, I did get another notification today that another one of their sub-domains had been hit with another malicious data-scraping.

  • Yorman
    edited February 28

    @Timothy M.

    I haven't visited linkedin ever since I deleted all of the times i've visited it off my browser history, as I said resetting firefox & deleting any presence of linkedin stopped the notifications for me so it was clearly trying to somehow connect just by simply it being present (probably in the cookies or login tokens), I suggest you don't go onto linkedin till the problem is fixed by whoever is in charge of renewing certs and that you delete it off your browsing history entirely (just the website visits, not the login info itself).

    I did mention that there was a massive data breach from what I read a little before this issue cropped up for me so it might have something to do with that but I don't have that kind of tech knowledge to confirm whether thats true or not.

    Hope this helps you!

  • @Timothy M. - I really think this is just an issue on LinkedIn's end and it's just a matter of waiting for them or Microsoft to renew the cert - I think you could be right here.

    Premium Security & Bitdefender Endpoint Security Tools user

  • Hi,

    I am receiving this notification whenever I try to access LinkedIn (www.linkedin.com). I uninstalled the browser, and deleted all data (history, cookies, bookmarks,....). Once I try to access LinkedIn I get Bitdefender message immediately. I raised this issue to linkedin and I received that I should contact bitdefender for this issue see emails below:

    Email (1): I wrote

    In Which App or Site?: LinkedIn (Website)

    On What Device?: Windows Laptop/Desktop

    Your Question: Just recently, I am frequently receiving the below message from my Bitdefender whenever I am trying to access Linkedin. It does not block me from access the www.linkedin.com as I can log-in. But I am receiving this message which I do not know the reason behind!

    Feature:

    Online Threat Prevention

    chrome.exe attempted to establish a connection relying on an expired certificate to ponf.linkedin.com. We blocked the connection to keep your data safe since websites must renew their certificates with a certification authority to stay current, and outdated security certificates represent a risk.

    /////

    Greetings from LinkedIn. Thank you for writing to us.

    I've reviewed your query regarding notification which you are receiving. 

    I understand your concern and I am here to help you. 

    You are requested to kindly contact Bitdefender customer support as this might be something related to them and not us.

    Regards,

    LinkedIn Member Support Consultant

    Member (02/27/2024 03:55 CST)

    //////

    Email (2): I wrote

    But what is ( ponf.linkedin.com)? is it a linkedin uri? or ...

    //////

    Thanks for your reply.

    I would like to tell you that we won't be able to confirm anything on this as it is not something which is related to LinkedIn. You will need to contact your antivirus provider for the same. 

    PS: I've marked this issue as solved. If you still need my assistance, please don't hesitate to reply. If you reply, your response will come directly to me and I'll be more than happy to help until we have fixed the issue together.

    Regards,

  • Hi,

    The last paraghraph sounds like a canned response. They haven't really explained what ponf.linkedin.com actually is, or what could be triggering the certification detection for that page. I think this is something they should be able to expand on.

    Regards,

    Alex

    Premium Security & Bitdefender Endpoint Security Tools user

  • Hi,

    I am receiving more warnings (any-na-tg.www.linkedin.com) from Bitdefender for LinkedIn site:

    Suspicious connection blocked

    chrome.exe attempted to establish a connection relying on an expired certificate to any-na-tg.www.linkedin.com. We blocked the connection to keep your data safe since websites must renew their certificates with a certification authority to stay current, and outdated security certificates represent a risk.

  • I was wondering a couple of things as I am getting the same "Expired Certificate to ponf.linkedin.com. See the message directly below.

    chrome.exe attempted to establish a connection relying on an expired certificate to ponf.linkedin.com. We blocked the connection to keep your data safe since websites must renew their certificates with a certification authority to stay current, and outdated security certificates represent a risk.


    1. Has a root cause of this been found?
    2. Is there a fix for this?
  • Hello @K Halwa,

    I think LinkedIn Support representatives should further clarify the nature of these subdomains: ponf.linkedin.com and any-na-tg.www.linkedin.com. As far as I know, LinkedIn does use various subdomains for different purposes, such as serving content, tracking, analytics, and more, but it's also highly possible that these are not recognized LinkedIn domains.

    As far as the antivirus is concerned, the detection is legitimate and will stay, so they need to sort this out and explain what purpose they serve and why these subdomains are being flagged with certificate issues.

    It's challenging to determine the exact purpose or functionality of these subdomains. They could potentially be related to specific features, services, or internal operations within LinkedIn's infrastructure, but like I've said, they may also be unrelated to LinkedIn, and I think this is actually the concerning part, especially in the context of certificate issues.

    Regards,

    Alex

    Premium Security & Bitdefender Endpoint Security Tools user

  • Flexx
    Flexx DEFENDER OF THE YEAR 2023 / DEFENDER OF THE MONTH ✭✭✭✭✭ mod

    The first URL provided has an expired certificate for LinkedIn

    https://www.sslshopper.com/ssl-checker.html#hostname=ponf.linkedin.com

    For the second link, LinkedIn has updated its certificate.

    https://www.sslshopper.com/ssl-checker.html#hostname=any-na-tg.www.linkedin.com

    @Alexandru_BD you need to get this checked.

    Regards

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)

  • Ok, when I go to any-na-tg.www.linkedin.com I get the following message:

    LinkedIn is Momentarily Unavailable.

    LinkedIn is momentarily unavailable but should return in a few moments.

    For this one, I think an exception can be added for the Online Threat Prevention module, until the certificate detection is sorted.

    Regards,

    Alex

    Premium Security & Bitdefender Endpoint Security Tools user

  • Flexx
    Flexx DEFENDER OF THE YEAR 2023 / DEFENDER OF THE MONTH ✭✭✭✭✭ mod

    @Alexandru_BD those are the subdomains and will not open anything. They are used for the proper functioning of the website, such as sending or retrieving data, etc from the LinkedIn servers. You can only open the main website and nothing else.

    Regards

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)

  • Of course, silly me.😅 Well, in this case, how about adding www.linkedin.com to the exceptions list until this is sorted?

    Premium Security & Bitdefender Endpoint Security Tools user

  • Flexx
    Flexx DEFENDER OF THE YEAR 2023 / DEFENDER OF THE MONTH ✭✭✭✭✭ mod

    Yes, I guess adding to the exception should work.

    Regards

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)

  • StrugglingMan
    StrugglingMan Consultant

    Hi everyone,

    Tagging on to this. I am receiving this same error:

    msedge.exe attempted to establish a connection relying on an expired certificate to ponf.linkedin.com. We blocked the connection to keep your data safe since websites must renew their certificates with a certification authority to stay current, and outdated security certificates represent a risk.


    I experience this with both Chrome and Edge - and on several different websites - leading me to believe all of these websites are not having security certs revoked or expired within the same week.


    About 36 hours before these certificate errors started occurring, I was hit with a BiteDefender phishing attempt notification that was blocked. However, the timing of this first occurring, then all these security certificates revoked - makes me believe they are related.

    I've spent the last 10 hours following several step by step / troubleshooting guides related to 'user end' security certificate error fixes, I have ran 3 different malware / virus scans across whole system, no results, I changed every password known to me and reset my bank account already as a precaution, but still highly concerned to use my computer in the near future.

    Appreciate any guidance or investigating.

  • Flexx
    Flexx DEFENDER OF THE YEAR 2023 / DEFENDER OF THE MONTH ✭✭✭✭✭ mod
    edited March 25

    Kindly have a look at the below-stated link:

    You will also need to contact LinkedIn support and ask them to renew the certificate of the exact link that you stated (ponf.linkedin.com).

    As proof, share it with the stated link: https://www.sslshopper.com/ssl-checker.html#hostname=ponf.linkedin.com

    Regards

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)