Handler on Duty: Guy Bruneau
Threat Level: green
Podcast Detail
SANS Stormcast Friday, June 20th, 2025: New Employee Phishing; Malicious Tech Support Links; Social Engineering App Sepecific Passwords
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9498.mp3
New Employee Phishing; Malicious Tech Support Links; Social Engineering App Sepecific Passwords
00:00
My Next Class
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
How Long Until the Phishing Starts? About Two Weeks
After setting up a Google Workspace and adding a new user, it took only two weeks for the new employee to receive somewhat targeted phishing emails.
https://isc.sans.edu/diary/How%20Long%20Until%20the%20Phishing%20Starts%3F%20About%20Two%20Weeks/32052
Scammers hijack websites of Bank of America, Netflix, Microsoft, and more to insert fake phone numbers
Scammers are placing Google ads that point to legitimate companies’ sites, but are injecting malicious text into the page advertising fake tech support numbers
https://www.malwarebytes.com/blog/news/2025/06/scammers-hijack-websites-of-bank-of-america-netflix-microsoft-and-more-to-insert-fake-phone-number
What’s in an ASP? Creative Phishing Attack on Prominent Academics and Critics of Russia
Targeted attacks are tricking victims into creating app-specific passwords to Google resources.
https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Dallas | Dec 1st - Dec 6th 2025 |
Podcast Transcript
Hello and welcome to the Friday, June 20th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and this episode brought to you by the Graduate Certificate Program in Penetration Testing and Ethical Hacking is recorded in Stockholm, Germany. One issue that keeps happening is that in particular new employees in organizations are being targeted by phishing or gift card scans. Chris Crowley, a SANS instructor, did set up a new Google Workspace and, well, pretty much within a couple of weeks, then started receiving phishing emails trying to target, well, luckily non-existing employees at that particular Google Workspace. These emails claimed to come from Chris, given that he was quantilating LinkedIn and such, the owner of that particular company. And, well, also interestingly, the from address actually then also implied some kind of urgency which is often what's then being used to trick new employees into buying, for example, gift cards, claiming that their new boss, that they are still trying to impress, is trying to basically get gift cards to give to some customer or the like. Definitely something that you want to include in awareness training early on, that particular new employees are specifically targeted by these sort of scams. And Malwarebytes has an interesting blog post about how Google is being abused in order to advertise fake tech support numbers. Now, this is a new way to abuse Google. We had in the past where malicious advertisers were basically just claiming to publish a tech support number for Dell or Microsoft or whoever and include as part of their Google ad. Now, this one is a little bit different. When you're clicking on the link in the ad, it actually goes to the legitimate webpage. So, for example, in Malwarebytes case, we wrote about this, if the attacker would place an ad for Malwarebytes. And then when you click on the ad, you actually end up on Malwarebytes website. But there is an option that advertisers can take advantage of. And, well, you know, usually people are searching for things on Google. So, what the advertiser is doing here that the search string the user clicked on, well, that one is passed to the website. So, what the malicious advertiser is doing now is that they pre -fill that search string with a string like, well, you know, tech support for Malwarebytes is 1800 something. And that's now blindly being added by the website to a search box, making it appear to be part of the website. Interesting little trick that makes it much more plausible for a victim to assume that this is a legitimate phone number because they see it on the victim's company's website. It's a little bit sort of like cross-site scripting, but it's really just plain content. There is no HTML, JavaScript, or anything like this involved. And Google published a blog post with details regarding some targeted tags that they have seen in order to get app-specific passwords from users. The problem, of course, we all have is, well, we all like to use two-factor authentication. But in some cases, two-factor authentication doesn't really work that well, for example, in some legacy email clients. The solution often has been then the use of application -specific passwords, which really, well, are just bypassing the entire multi-factor authentication process. Now, the advantage of these passwords is usually that they're system generated, so they're long random string, nothing the user picks. But of course, this is not phishing resistant. What these attacks are doing is that they are claiming to be a legitimate application. One of them, for example, was called ms.state .gov, to somehow fit into the profile of the targeted victim. That then tricks the user into obtaining an application-specific password and handing it to this malicious application, which in turn, of course, will use this application-specific password to then access the user's account, in particular, email. One misconception often about these application -specific passwords is that they're not only application -specific. The application -specific for the application using the password but often are providing access to the entire user's account, not just to specific server-side applications. A better option here, of course, is typically OAuth. But in general, even with OAuth, you have similar issues where users may provide OAuth credentials to malicious applications. So definitely review any applications that are linked to your account either with application -specific passwords or OAuth credentials from time to time. Well, and that's it for today. Thanks for listening. Don't forget it's still time to register for Science Fire. So thanks and talk to you again on Monday. Bye.
Does your organization have an InfoSec opening? Post a job listing with the SANS Internet Storm Center
© 2025 SANS™ Internet Storm Center
Developers: We have an API for you! 