Podcast Detail

SANS Stormcast Monday, August 11th, 2025: Fake Tesla Preorders; Bad USB Cameras; Win-DoS Epidemic

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9564.mp3

Fake Tesla Preorders; Bad USB Cameras; Win-DoS Epidemic

00:00

My Next Class

Application Security: Securing Web Apps, APIs, and Microservices	Las Vegas	Sep 22nd - Sep 27th 2025
Application Security: Securing Web Apps, APIs, and Microservices	Denver	Oct 4th - Oct 9th 2025

… more classes

Google Paid Ads for Fake Tesla Websites
Someone is setting up fake Tesla lookalike websites that attempt to collect credit card data from unsuspecting users trying to preorder Tesla products.
https://isc.sans.edu/diary/Google%20Paid%20Ads%20for%20Fake%20Tesla%20Websites/32186

Compromising USB Devices for Persistent Stealthy Access
USB devices, like Linux-based web cams, can be compromised to emulate malicious USB devices like keyboards that inject malicious commands.
https://eclypsium.com/blog/badcam-now-weaponizing-linux-webcams/

Win-DoS Epidemic: A crash course in abusing RPC for Win-DoS & Win-DDoS
Internet-exposed DCs can be used in very powerful DoS attacks.
https://defcon.org/html/defcon-33/dc-33-speakers.html#content_60389

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Application Security: Securing Web Apps, APIs, and Microservices	Las Vegas	Sep 22nd - Sep 27th 2025
Application Security: Securing Web Apps, APIs, and Microservices	Denver	Oct 4th - Oct 9th 2025
Application Security: Securing Web Apps, APIs, and Microservices	Dallas	Dec 1st - Dec 6th 2025

Podcast Transcript

 Hello and welcome to the Monday, August 11th, 2025
 edition of the SANS Internet Storm Center's Stormcast.
 My name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in Purple
 Team Operations. This weekend's diary was about an,
 at least new to me, scam targeting, well, Tesla users
 or Tesla enthusiasts trying to pre-order some Tesla products,
 in particular the Tesla Optimus robot. If you're
 searching for Tesla Optimus pre-orders on Google, you're
 being confronted with a number of, well, links that are
 sponsored, so they're paid for, but they're not paid for
 by Tesla. If you're clicking on any of these links, you are
 ending up on a lookalike site that looks like a little bit
 older design of the Tesla website, but the latest domain
 name being used here and that has been changing over the
 last few days is offers-tesla .com. And now you're able here
 to pre-order some yet unreleased products, for
 example, the Optimus robot, which of course has been sort
 of heavily featured in the news, and it will happily
 allow you to pay for this robot using your credit card.
 I went through the checkout process here and using just a
 fake credit card number, and it let me go through so it
 didn't attempt to charge the number because that would have
 failed. It may use those numbers later to maybe, you
 know, resell them, use them on other websites. That's not
 really clear what the real endgame here is of this
 particular scam, but likely thereafter stealing the credit
 card data. There's also no login on the page, unlike the
 real Tesla page. So when you come back later, well, you're
 unlikely to be able to check the status of your order, so
 it may take a while for the user to realize that they have
 been scammed. Now, during the checkout process, it does
 offer you to register. I wasn't able at the time to
 complete it because spam filters, as I found out later,
 ate the sort of confirmation email that is being sent back.
 But either way, even if you register on this particular
 site, well, like I said, there is no real spot here to log
 in. Similarly, if you're trying to pre-order any of the
 other products, like any of the Tesla cars, you will be
 allowed to go through the process. But, well, it
 definitely doesn't go to Tesla. It just basically takes
 a credit card number and not sure, again, you know what
 they'll do with the number, but the money is very unlikely
 going to go to Tesla. These sites have been rotating. They
 stay up for a couple of days. So I assume that at one point
 Tesla, someone else, is actually then shutting them
 down. But they keep setting up new sites. The naming scheme
 is always some prefix like offers, pre-order, or the like
 dash, tesla.com. And then we got a couple of quick items
 from DEFCON, which of course happened this weekend. First
 one here, researchers from Eclypsium demonstrated what
 they call a BadCam attack. Now, what this really is all
 about is that if you do have any kind of USB device, an
 attacker is able to update the firmware on that USB device.
 The attacker would have to first trick the victim into
 executing code, but then it gains a nice persistent access
 to the system just by basically updating the
 firmware of the USB device. They demonstrate that using
 webcams, running Linux. I can imagine that this will work
 with any other USB device that has easily updatable firmware.
 So first you compromise the system. Then you discover what
 kind of peripherals are connected. You update the
 firmware of one of these peripherals. And then you can
 basically turn this particular peripheral, like the webcam in
 this case, into a USB keyboard and inject keystrokes
 executing additional malicious code. And again, this is
 probably more sort of a persistent technique where
 once you compromise the system, you put some kind of
 code into that webcam that will continuously reinstall,
 for example, a backdoor after it was removed. With these USB
 devices being out of scope for any kind of endpoint
 protection, that makes it a real neat way to sort of hide
 malicious code. And then another interesting DEF CON
 talk was from Shahak Morag. I hope I pronounced the name
 correctly, but it was about an interesting denial of service
 attack that in particular affects domain controllers
 that are exposed to the internet, which I don't think
 is something you really should do. And I think that's another
 reason why you shouldn't do this. The problem here is RPC
 and how this can easily be abused for denial of service.
 RPC is required for a domain controller. And the basic
 underlying trick here is that the attacker is turning your
 domain controller via RPC into an LDAP client and then is
 sending it a flood of LDAP referral URLs that are all
 pointing the same IP address. And if you're using this, your
 domain controller will now flood this other system with
 these LDAP queries. And that leads to a denial of service
 attack. Of course, some rate limiting on the receiving end
 may help here. This is really sort of more CPU memory
 exhaustion attack. So it's not just plain flooding it with
 packets, not just volumetric the attack, but still don't
 expose your domain controllers. I think that's
 the number one lesson to take away from this here. Well, and
 that's it for today. Thanks for listening. Thanks for
 liking and recommending this podcast and for leaving good
 podcast reviews. If I missed anything, if I missed a story,
 if I missed something from DEF CON, Black Hat or such, let me
 know. And by the way, I never mind if like an author or a
 researcher is telling me about something they just published.
 I don't like marketing people doing it, but researchers, if
 that was your work, you want to get to the world. Well,
 that's what research is all about to disseminate your
 results. So let me know. And that's it for today. Thanks
 and talk to you again tomorrow. Bye.