Hello and welcome to the Monday, March 31st, 2025 edition of the Sands and then at Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Jan on Friday looked at two different fishing sites that at first look look very similar. Same layout. They also

use the same trick that we often see, where they're including the favorite icon from a website

that matches your email domain in order to make the entire site look more plausible. Both of

these websites are claiming to be login screens to webmail systems,

something we definitely see over and over again. What Jan really looked at, given that these two

email or these two fishing sites look so similar, are they actually created by the same entity? Are they using the same fishing kit?

And the answer here appears to be no, because the back end of these two fishing site looks very different.

One of them uses telegram as a command control channel or to

infiltrate the data. The other one doesn't. It uses a more sort of generic web hook

process in order to send the data off to some collection site. Both sides are hosted very

differently. So definitely looks different, but similar techniques.

What Jan suggests here, and he's probably right with this, he's looked at a lot of these

fishing sites, that these two are derived from the same fishing kit. So they, which is start out

as one fishing kit, but then

these fishing kits get copied, traded all the time. So basically they split off, they evolve,

and that's probably what's happening here in this particular case. Now sticking with fishing here

for the second story, InfoBlocks has an interesting

blog, a very detailed blog actually, about what they're calling a recent Mercat fishing kit

instance. Merckad is what Info blogs calls this fishing kit. A couple things sort of stuck out here.

I mentioned earlier that the fishing kit that Jan talked about included basically your

...