Hello, welcome to the Thursday, May 28th, 2020 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida.

Jan wrote up a fishing email that he received that does mimic a lot of fishing emails that I've seen lately in that the actual phishing website

is stored within Google's cloud API. Now, this limits a little bit what the attacker can do.

They can essentially just store a static HTML page with JavaScript within Google's cloud API, so they can't really run

any dynamic code.

So typically what they're doing, and that's sort of what Jan is explaining here, is that

JavaScript within the page will pick up the username and password the user entered and then send it off to another

page that actually collects the data.

In addition, the victim is then often redirected to a website that mimics the target that

originally intended to visit.

So the intent here is that the user just feels,

oh, the login failed. Let me just log in again. And they may not necessarily notice that

they actually just lost their credentials to a phishing page. Now, what's a little bit disappointing here really with a Google

cloud storage is that my experience and Jan sort of has this experience here too. It's really

hard and slow at least to take down these pages. Even reporting them from within Google Chrome, which you would think

they sort of would integrate here in their abuse process, given that this Google Cloud Storage

we're talking about, well, it can take a day and longer to have these fishing pages taken down.

Another interesting part here is that the attacker apparently did register the domain name

these emails came from. Maybe they stole it, a little bit hard to tell, but the emails were

properly decim signed and also had the right SPF records set up.

...