Hello, welcome to the Thursday, August 2nd, 2018 edition of the Sands and its Storm Center's

Stormcast. My name is Johannes Orich, and I'm recording from Jacksonville, Florida.

Today we got a smishing attack to start out with smithing is derived from fishing and SMS, essentially a phishing message sent via SMS.

In this particular case, the message announced that the victim's Facebook message was deleted

for being inappropriate, and of course the message then offers a link to Facebook.

So the idea here is that the user will click on the link and then of course they will receive

a login page that looks just like Facebook's and that's where they lose their credentials.

If they enter credentials, whether correct or not, they will be redirected to the authentic Facebook page,

which of course will let them in then once they authenticate with their Facebook credentials.

There are a couple things that make this particular message a little bit special.

First of all, did hacker manage to register a host name starting with Facebook?

This host name was registered under a university domain in Bulgaria. Secondly, they actually do a

little bit input validation on the fake login form. If you are entering credentials that are syntactically wrong, meaning your

user ID or email address is not valid based on the format, then you get a login failed message.

Sometimes I hear the advice to enter just some random data. If you're unsure if it's a fishing site,

and if it's accepted, then you know it's a fishing site.

If it's not accepted, it may be the valid side.

Well, that advice is certainly not good advice,

and it is another example why you shouldn't rely on this simple test.

And then we have a spike in activity on an odd port 52,869.

Turns out the port 52,869 is used to send universal block and blame messages encapsulated in soap.

One particular popular implementation of this comes from real tech,

...