Hello and welcome to the Thursday, February 22nd, 2024 edition of the Sandsenet Storm Center's Stormcast.

My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

Jan today wrote up a fishing scam that used Archive.org to host the actual fishing page. Archive.org, of course,

most well known for its way back machine that archives old websites, has also the ability to

upload files and archive files, and that's the feature being abused here. So the fishing pages that

are in Archive.org, at least the ones that Jan talked about, are not sort of accidentally

indexed and copied fishing pages, but the fishing pages deliberately uploaded to this site

by likely the person behind these fishing scams.

Archive.org, of course, only serves static HTML, but that does not prevent the attacker

then from using JavaScript to make the pages more malicious or more dynamic.

In this particular case, for example, they are loading a screenshot of the website

from thumb.io, have seen that site used in the past for it as well, as well as logos from

logo.com. Archive.org, of course, is often cited specifically allowed to be visited.

You have to be a little bit careful here because it sort of could be used as kind of a proxy.

But as Jan explains, these phishing pages, because they're deliberately uploaded, not sort of what Archive.

org would index from existing websites. They use a

slightly different URL scheme with a four-part host name, randomstring.us.org, which differs from

the host names typically being used for the more legitimate or more normal wayback machine

archive.org content. And then we do have a proof-of-concept exploit available now for the

screen connect vulnerability, and apparently this vulnerability is already being exploited in the wild. No surprise

given how trivial it is to exploit it. The problem here is similar to another vulnerability and I

forgot what system it was. I think talked about it last week but where you have essentially a setup

...