SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Monday, March 31st: Comparing Phishing Sites; DOH and MX Abuse Phishing; opkssh
Mar 31, 2025
Explore the fascinating world of phishing with a deep dive into two seemingly similar sites that use different backend technologies. Discover how a new phishing variant leverages DNS MX records and DoH for more targeted attacks. Plus, learn about an innovative tool that incorporates OpenID Connect with SSH, streamlining secure login processes. This discussion highlights the evolving methods of cyber threats and the importance of robust security measures.
AI Snips
Chapters
Transcript
Episode notes
Similar Phishing Sites, Different Backends
- Two phishing sites looked similar and used the same trick of including a website's favicon.
- However, their backends differed significantly, suggesting they evolved from the same phishing kit.
Meerkat Phishing Kit
- A new Meerkat phishing kit variant uses DoH in JavaScript to find MX records and customize phishing pages.
- It exploits an open redirect in DoubleClick and uses client-side technology for DNS lookups.
Open-Source Tool for SSH
- Cloudflare's OPK-SSH integrates SSH logins with identity providers using OpenID Connect.
- This tool solves the problem of static SSH keys by using centrally managed identities.