Hello and welcome to the Tuesday, April 7th, 2026 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the Sands.edu undergraduate certificate program in Applied Cybersecurity Security.

Jan today followed up on a recent diary of mine. In this diary I mentioned that we do see

quite a few attackers that are scanning our honeypots for possible open redirects.

There are a couple reasons why they may be doing this, and one of the suggestions was that

these redirects are being used for fishing, and Jan followed up on that and looked at recent

phishing emails and tried to figure out how many of these recent fishing emails are using open redirects.

So just to be clear about this, an open redirect is a bug vulnerability in a website that allows an attacker to essentially use this website as a conduit in a fishing attack

where the user is first being sent to the harmless website,

which will then automatically redirect the user to the actual fishing website.

This is different from a compromised website

where an attacker did add a redirect like this to the particular website.

So these open redirects are indeed used quite commonly.

Jan found them in about 20 to 30% roughly of different phishing emails that Jan looked at.

And of course, they're dangerous in so far because these websites being used as a redirect here

have usually a good reputation score, not malicious not compromised and with such

can often be unused to sort of serve as an early first hop in the fishing email chain

which does allow it to pass through many email filters.

And Hacker 1 has announced last week that they're suspending their internet bug bounty.

What was special about the internet bug bounty was that it was really trying to solicit bugs and security vulnerabilities really for open source projects.

And then the bounty was actually split between the hacker who found the vulnerability

...