Hello, welcome to the Tuesday, April 14th, 2020 edition of the Statenet Storms, Stormcast.

My name is Johannes Ulrich, and I'm recording again from Jacksonville, Florida.

Jan took an look at two different fishing emails that were sent three months apart and appear to come from

the same actor.

It's sort of interesting to see how these phishing emails and related attacks are evolving

over time or, well, how they're not evolving.

In this case, they haven't really been evolving too much. For three months,

this particular actor pretty much sent the identical email messages with some customizations

and used pretty much the same fishing site where the user then entered their credentials.

I guess if attackers wanted to do a lot of work, they would

get legitimate jobs. On the other hand, well, if it works, they're probably just going to stick

with it and just fine tune the message a little bit in order to make it work better. But this also

shows that they're not really considering much like spam filters and

the malware and such, which over this time frame probably should have captured this particular

attack.

Also, so an interesting little titbit that Jan noticed is the actual page where the user

enters the credentials.

I've seen this a few times before with phishing sites where they always reject the first username and password combination.

I believe they do this in order to evade users

who think that they may have clicked on a phishing email and they're now entering

a wrong username and password first, thinking that if it's a fishing site, well, it will tell

them the password is correct because the fishing side typically sort of accepts any password

...