Hello and welcome to the Thursday, February 6th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich and today I'm recording from
Jacksonville, Florida. Well, today I wrote up some of these
toll-smishing attacks. You probably got a few of them
yourself over the last year or so. The setup is always the
same. You're receiving a smishing message telling you
that you're overdue in paying the tolls, the highway tolls
for your car. And it offers you a link to who then pay the
tolls. Now, the attackers here are pretty good in sort of
customizing these messages somewhat. For example, myself
living in Florida, I am usually receiving messages on
my Florida phone number that refer to SunPass, the Florida
toll system. The domains being used here often use SunPass as
part of the host name. So a typical host name would be
sunpass.com, then a dash, followed by some random
characters. And that's something that you may be able
to use to detect users in your network that may have fallen
for one of these scams. Take a look if there are any DNS
lookups or HTTP requests for anything where the domain name
starts with com-. We do see about 100 to 500 of these
domains being registered daily. I don't think block
lists are that effective because these domains are very
ephemeral. They use them only for a very short time. But in
hindsight, it may help users if you identify anybody who
may have clicked on one of those links. Very importantly,
with these links, they usually tell you to reply to the
message with a Y. This is in order to make it more
difficult for phone companies to identify these messages.
That way, the message looks more organic in the sense that
there is traffic going forth and back to the number. In my
case, and that's very typical for some of the messages I've
seen, the number was actually a Philippine number, which
makes it pretty obvious that it's bad. But on a mobile
device, where it's often not that visible, it's somewhat
easy for a victim to fall for these scams if they use tolls
a lot and maybe expect a message like this. Always
remember that for most recipients, these messages
don't work. But there are always a couple people who are
just essentially being caught in a bad moment and are then
clicking and falling for these scams. On the little
postscript here, I also saw some that used tax dash for
tax scams. So that's definitely used as well. Maybe
not quite as common right now as the toll messages. But,
well, maybe we'll see more of that shortly as we approach
the tax filing deadline here in the U.S. And we all know
Windows 10 will soon no longer receive any security updates.
Well, in case you try to keep Windows 10 machines alive,
Microsoft now published some pricing for its extended
security updates. Year one will cost you $61 per machine.
So maybe that's an incentive to upgrade to Windows 11. But
as always, Windows systems with older versions tend to
keep hanging around. We've seen this with Windows XP,
certainly Windows 7 somewhat, hopefully a little bit less
with Windows 10. And in the future, of course, that's an
issue that will continue to come back. So better take
notes and make sure you know what versions of Windows you
need to keep alive and on what systems you may need to keep
them alive.
Well, in TLS is one of those protocols that keeps on giving
in the form of many, many subtle updates that keep
happening. Latest example is that Mozilla announced Firefox
will now enforce certificate transparency. Certificate
transparency are logs maintained by certificate
authorities. They're mandatory. They're mandatory.
And in the certificate, you should have a signed
certificate timestamp, typically from at least two
different transparency logs that contain a record for your
certificate. If these SCTs, these signed certificate
timestamps are not in your certificate, then Firefox will
no longer trust the certificate. I believe
actually Google Chrome and Safari have already been doing
some form of this. In some cases, it may depend on how
long the certificate is valid for. And for longer valid
certificates, you may need more timestamps. The big issue
here are internal certificate authorities, which often don't
have certificate transparency logs. By default, this policy
is enforced for internal certificate authorities, but
you may disable that using an enterprise policy. So keep
that in mind if you all for a sudden get complaints from
users that they get bad certificate messages. And
we've got a couple of updates to talk about. First of all,
Veeam, the backup solution. Well, a common participant
here in the show. You may call him a friend of the show. The
critical vulnerability being addressed in Veeam is a
problem with their internal updater. It doesn't verify the
software properly. So there's a machine in the middle attack
here that would allow an unauthenticated attacker to
execute arbitrary code, essentially by inserting a
malicious backup. And then we also have an update from
Netgear for its Nighthawk Pro gaming router. Again,
arbitrary code execution is possible here. Did I mention
this week already that it's a good idea to have sort of a
monthly reminder in your calendar to tell you to double
check if your router firmware is up to date? Well, and
that's it for today. So thanks for listening and thanks for
all the feedback I'm getting. Thanks for the recommendation
as always. If you have a second, please click the five
stars in your podcast app, subscribe, or even better,
leave a quick positive review. Thanks and talk to you again
tomorrow. Bye.
