Hello, welcome to the Monday, November 29, 2021 edition of the Sandtonet Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Our handler Jan this weekend took a look at a common trick. Fishing sites used to make investigations more difficult.

The phishing email, as Jan described it, was pretty much unremarkable, but shortly after

Jan reviewed the fishing site, the web server started returning 404 errors instead of the

Outlookalike page that was used to harvest

users' credentials. The author of the fishing site took a precaution in only allowing a limited

number of requests from a particular source IP. Now, there are a couple different reasons why NetHacker may do that.

So once the time or the request limit is exceeded, you get the 404 instead of the actual fishing page.

And if a user, for example, would forward the link or the email to an analyst.

That, of course, then may result in a false negative.

Or, for example, the user thinks that, hey, they should probably report that fishing page.

They try to exit again, but, well, they're now getting a 404, thinking probably that the fishing site

has already been taken down. If you are investigating fishing emails like this, always good

to try an anonymous internet connection, like a VPN or some LTE access or such with ever-changing

IP addresses.

Also, be a little bit careful with these URL parameters that are often being passed along.

These are often unique identifiers.

Sometimes it's just a base 64 or URL encoded email address that is then being used to

pre-fill, for example, a username.

And Dell released an important update to its I-Track 9 products.

The vulnerability is due to the use of ZeroMQ in these products.

ZeroMQ is an open source messaging library,

...