Hello, welcome to the Thursday, July 14th, 2020 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Sands Fire here in Washington, D.C.

Xavier came across a fishing email that implemented a slightly different version of what we have seen before of sort of self-customizing phishing page.

The link the user clicks on does include the victim's email address.

So what the phishing page does is it extracts the domain part of that email address and then loads the victim's homepage inside an eyeframe.

In the past, we sometimes have seen this sort of done via curl,

but this particular phishing page is as so often hosted within Google's Firebase storage,

and there, of course, only sort of static HTML with the JavaScript is

allowed, which does limit the attacker to use iFrams in order to load the remote page.

But since the original YRLD victim visited did include the victim's email address, that email

address is now passed as a refer, and the organization should be able to identify

any possible victims of this phishing scam by looking at referral logs.

And of course, you also may want to take a look at limiting how your page is being displayed

in an eye frame.

The old option here was x-frame

option headers the newer way of blocking that is via content security policies and the frame

ancestor attribute and sticking with fishing here for another story crowd strike is reporting how

they have been seeing some fishing emails

that are impersonating security companies like GroutStrike. Now in this case, the attacker

actually doesn't ask the user to click on a link. The email claims that the security company

detected some vulnerability in the victim's network and then asked the victim

to call them back. Of course, this then comes down to one of those tech support scams, but

...