Hello, welcome to the Monday, October 5th, 2020 edition of the Sandstone Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Xavier came across an interesting fishing kit on Friday.

It emulates the American Express login page.

Pretty well done and he's going over some of the parts here.

Now we have gone over fishing kits before nothing sort of extraordinary here.

Just a reminder that if your site is impersonated by a fishing kit, just like in this case, often the attacker

will direct the user to the legitimate website in the end.

Same thing happens here.

One little mistake they make here, and not sure if this is a little bit intentional on American

Express's side, but the final redirect to the Amex website goes to a page where you

get an access denied.

Another common feature that you probably have heard about if you have read a prior Fishing Kit

write-ups from us, but this F fishing kit also includes a block list of IP addresses

that are often associated with researchers, security companies, and the like in order to

block them from accessing the fish kit. But as you can tell, well, just like block lists for the good guys,

isn't all that effective.

Xavier still had no problems accessing it.

And Guy took a look at his honeypot and found, well, aside from the usual attacks

against home routers, particular, netgear, also some attacks against different

types of routers, like in particular Huawei Home Gateways. And one particular sample that

he recovered here was actually not yet known to Virus Total, which is somewhat unusual given

...