Hello, welcome to the Monday, February 11, 2019 edition of the Sandsenet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

The way most fishing sites work is that an attacker sets up a website, has full access of course to the server, uploads files

that will emulate the form and will collect the data, pretty much sort of like any website

does it, and then store the data on the server and exfiltrate it to the attacker, or even

just stored on the server and the attacker will

periodically download.

Xavier, however, came across a fishing website that's taking a little bit of more modern

approach to collecting the data.

Instead of having actually a scripting language like php.net or whatever, the entire fishing attack is actually implemented

in JavaScript and the JavaScript will collect the data from the victim and then report it to a site

that's actually doing all the central collection. Of course, the advantage of this scheme is that if anybody

takes down the fishing site, they will be left with very little sort of forensic evidence.

They will not recover typically any of the usernames and passwords that users have entered

in the fishing site while it was active. They may see based on the web logs, how many people sort of visit this site, but that's

about all they would be able to get from this site.

Of course, this approach is also much easier to set up.

Could easily be done on a compromised website. The attacker doesn't really need

sort of full access to this site, just needs to be able to get their JavaScript and the

HTML form somehow placed on the site. In this particular case, actually, Saville also found

the script that then receives the data that's being collected via

JavaScript and in this case it's also just directly emailed to the attacker. And Akamai is

...