ISC StormCast for Monday, May 24th, 2021
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 24 May 2021
⏱️ 6 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Monday, May 24, 2021 edition of the Sansanet Storm Center's Stormcast. My name is Johannes Ulrich. Entertainment recording from Jacksonville, Florida, still, but virtually teaching this week in London. So the podcast may be published at a little bit odd times. And actually, we will be |
| 0:24.3 | switching back to a life training, or at least for sort of a hybrid mode. And London is one of |
| 0:32.4 | the cities that I'm scheduled in teaching in July and then August. No guarantees yet whether or not this will be in person. |
| 0:41.7 | It could also be still virtually, but in a classroom. But let's take a look at diaries that came in |
| 0:51.1 | over the weekend. Xavier ran across an interesting fishing email that |
| 0:56.5 | performs fishing without any servers. Not only is the HTML page embedded in the email, |
| 1:05.2 | that's a fairly common trick, but usually JavaScript within that HTML will then submit harvested credentials to a particular |
| 1:14.6 | web service that collects them. This particular phishing email took a little bit |
| 1:19.9 | a different approach. It took advantage of an API that's offered by SMTPJS.com. |
| 1:28.6 | And that API essentially sort of creates a gateway between JavaScript and SMTP. |
| 1:34.4 | You register with SMTPJS.com and then you obtain JavaScript that will send a request to SMTPJS.com and then relay it via your |
| 1:48.5 | SMTP server. Personally, I would actually recommend against using SMTPJS.com even for legitimate |
| 1:56.2 | purposes. Yes, the credentials are not directly exposed to the user via JavaScript. Instead, the credentials are not directly exposed to the use of your JavaScript. |
| 2:03.6 | Instead, the credentials are turned to a token that's then included in the JavaScript. |
| 2:09.0 | However, you have to deposit your credentials for your SMTP server with SMTPjs.com. |
| 2:18.5 | So really all they're doing is then connecting to your SMTP server. |
| 2:22.9 | There are, I think, a couple better APIs that use their own SMTP servers. |
| 2:29.2 | Of course, that can be a little bit more tricky if you have to use a specific SMTP server for email security purposes like DMARC. |
| 2:39.0 | The token that's exposed to the user is static, so each user gets the same token. |
| 2:47.0 | You can limit it to a certain domain, but still looks like there are probably ways how an attacker could use the token to send spam on your behalf. |
| 2:58.8 | So overall, fine for fishing and fine for some smaller websites, probably, but there are probably some better options if you just want to |
| 3:09.1 | trigger email from a JavaScript, and that typically would involve you running a server with |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.