What does it mean: suspicious page modification?

Sudu

My F-secure is noting stopping suspicious page notification on banking URL's, even with Banking Protection. Should I be concerned?

Ukko

Hello,

My F-secure is noting stopping suspicious page notification on banking URL's, even with Banking Protection. Should I be concerned?

Depends on what you are doing when the "suspicious page notification" occurs.

As such (although I have not seen, it seems, a documented description of the functionality) - this is one of the features of Banking Protection. Additional control or close attention to a number of actions or events is carried out that would be interpreted as a modification of the page (mostly the banking page itself).

Maybe this is a general feature of browsing protection, but it simply becomes more sensitive and vigilant during banking. Be that as it may, I have only encountered such an event in relation to the banking page or during an active banking protection session. The easy way is to open browser's console.

To better understand your situation, I would try the following:

• understand when this event occurs (added to the "Recent Events" list): simply when entering the banking page or after some specific action there;
• try to go to some other random banking pages (for example, nordea.no or F-Secure's dedicated test page) and see if the situation is similar there, if it is possible to understand when a "suspicious modification" occurs on the original website;
• try to use another browser; or to disable unrelated to F-Secure addons/extensions in current browser.

I admit the possibility that an attempt to show some kind of pop-up or make multiple redirects can also be interpreted as a suspicious modification of the page. So if you can share the URL where you observe such an 'event' it would be interesting to see if it is reproduced by other users (in case, if URL is safe and secure to share).

Thanks!

Sudu

So, mostly financial concerns but also MSN and Google mail (gmail), and there is even one for Youtube and a couple for one drive. Some were noted at times that I do not believe that I was awake, otherwise could have been because I was logging into or already logged into a financial concern. This could mean that I, of such little means, am a target?

Ukko

Well, yes, it sounds strange.

But before continuing the conversation - are you using a beta product (topic created in this Community section) called as "fs protection"? Or a regular stable version, a solution like "F-Secure Total"?

Because it would be possible to 'completely' understand the situation only after studying the logs (Windows Support Tool guide). So, with beta: you need to create a fsdiag file and then to create a kind of 'bug' report to beta channel. For example, sending email with attached fsdiag to beta@f-secure.com

With stable solution: you can contacting through their direct Support Channels there: you can find "web-chat" option in the middle of page

So, mostly financial concerns but also MSN and Google mail (gmail), and there is even one for Youtube and a couple for one drive. Some were noted at times that I do not believe that I was awake, otherwise could have been because I was logging into or already logged into a financial concern. This could mean that I, of such little means, am a target?

In my experience: I have practically never encountered any suspicious page modifications (with the exception of a simple way to trigger this for the banking page during the banking protection session, when 'green frame' is visible across borders). So, I am puzzled to think which 'event' could produce it.

The simplest would probably be to have some kind of extension that could be the content of the page. Let's say, even if it's something like an adblocker. But then it would not be clear why this, apparently, does not bear some stable type of repetition.

What about the dates of these events for MSN, gmail, youtube? These are single records or multiple for the same resource. And what about the dates - are they dated on the same day, on the same time? For example, "all at once" (that is, all open tabs at that time were somehow affected).

Everything that is not banking - were there 'events' about them once recently, or were they all just like that a long time ago? Since relatively recently changes have been made so that such a protective feature is less sensitive and may give fewer false positives.

Sudu

There one or two occurrences at the same clock time. Banking protection on some URLs does not come on until I have logged out and one must manually close the protection after logging out of others; just wondering if trying to login to another site while the protection has not been closed yet could trigger the incidents? I've been also wondering if one could get a button to push on the desktop to trigger the security feature and not to rely fully on F-secure list, or do I currently have an option to add URLs to "my" list for banking protection?

Ukko

There one or two occurrences at the same clock time. Banking protection on some URLs does not come on until I have logged out and one must manually close the protection after logging out of others; just wondering if trying to login to another site while the protection has not been closed yet could trigger the incidents?

Apparently, some specific action leads to this. But I don't know what possibilities there might be here. I tried to play around with it now and I couldn't easily and simply reproduce such an impact (without opening the console browser or using some third-party browser extensions). And towards the end of the attempts, it became impossible to pull it off at all.

So I don't think that simply trying to log in would have that effect (although maybe something autofilling or complicated login procedure could somehow trigger "the modification" event). Still I am not sure if this feature is exclusively related to Banking Protection or can be part of general Browsing Protection. Because if it is exclusively banking enhancement then an active banking protection sessions is always a 'requirement' to repeat it;

and then it is basically (if I understood it right) strange if with certain banking pages you cannot get Banking Protection until logout from this service. And even the fact that banking protection sessions don't automatically end after you leave certain banking page is also not as it should be. Meaning: just logout is not enough; you need either closing the webpage (tab) or switching to another URL/website), or closing browser. Otherwise, only manual 'end' via button is the option.

I mean, Banking Protection, usually, is activated by visiting supported page (does not matter if you are not logged-in currently).

I've been also wondering if one could get a button to push on the desktop to trigger the security feature and not to rely fully on F-secure list, or do I currently have an option to add URLs to "my" list for banking protection?

Yes, there is "own" list with recent versions.

Described in this Online Guide / Help - with fs protection, the guide would be basically 'the same'.

Ville

Suspicious page modification means that while you are in your bank in browser, someone is modifying the page content from your device side (not the bank side). Typically this is done by scammers when they are trying to edit your balance or something else to look like you still have the money while they transfer it away. However lately AI tools (like Copilot) have started doing some page modifications and they can trigger this causing false alarm. We are keeping an eye on it.

You can report it as bug but it's tricky to investigate as the page content is very sensitive and we usually don't have access to the banks that customer are using.

Sudu

So, this is like a remote control?

Ville

We have a feature that prevents remote access being active when going go bank. The suspicious modification does not really care where the modification originates from as it is very hard to detect. It can be a result of many things.