Hello, welcome to the Tuesday, May 23rd, 2017 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich and the damn recording from Jacksonville, Florida.

Typically, phishing emails isn't something we really worry about too much,

but they had an interesting one today targeting users of the Uber car sharing service.

Now these phishing emails weren't just done pretty well with respect to the layout and such,

but also the fishing site itself used a TLS certificate, which is somewhat unusual even though

not really that difficult to accomplish.

The fishing email itself arrived as a fake Uber email that claimed that you just took a right with Uber

and these emails looked just like what the receipts you usually get at the end of your right look like. Now the one thing they changed

is that they had a prominent link at the bottom of the email that would link to Uber disputes.

Of course the idea here was that as soon as you see this obviously fake or fraudulent email you would click on Uber disputes to dispute

that charge with Uber. This is where the fish kicked in. This domain was fake. It was not

associated with Uber, even though it did have a valid TLS certificate.

In this particular case, the attacker did use Cloudflare as a proxy in front of this particular website.

Cloudflare, of course, does offer as a free service TLS certificates.

In general, this isn't really worse than what most certificate authorities are

doing. Let's say let's encrypt and the like that will give you a TLS certificate if you are

able to prove ownership of the particular domain name. And of course, the attacker here did own

uberdisputes.com.

Another sort of interesting part here was that the site disappeared very quickly after we

learned of it.

So some of my investigation I had to perform after the site was already shut down.

...