SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS Stormcast Friday, May 15th, 2026: Website Fraud; Outlook Link Preview Bug; NGINX Vuln; Cisco 0-Day

7 min

•May 15, 202616 days ago

Summary

This episode covers four critical cybersecurity threats: fraudulent e-commerce websites using stolen product images, an Outlook link preview vulnerability that hides malicious URLs, four NGINX vulnerabilities including a heap-based buffer overflow enabling arbitrary code execution, and a critical Cisco SD-WAN controller authentication bypass already exploited in the wild.

Insights

Fraudulent websites can be identified through multiple indicators including stolen product images and suspicious payment processing patterns that charge cards multiple times from different vendors
Security tools designed to help users identify threats (like Outlook's junk folder URL display) can paradoxically create vulnerabilities when they fail to render malicious links properly
Proof-of-concept exploits released without ASLR support may still pose significant risk as attackers typically require only minor modifications to exploit protected systems
Critical vulnerabilities with perfect CVSS scores that are already exploited in the wild require immediate patching with no viable workarounds available

Trends

Increasing sophistication of e-commerce fraud using legitimate product imagery and multi-vendor payment schemes to evade detectionSecurity feature failures in email clients creating new attack vectors by obscuring threat indicators users rely onRapid weaponization of published vulnerabilities with proof-of-concept code being adapted for real-world exploitation within hours of disclosureCritical infrastructure vulnerabilities in SD-WAN controllers indicating expanded attack surface in enterprise network management toolsCoordinated vulnerability disclosure and patching across multiple Linux distributions enabling faster security response

Topics

E-commerce fraud detection techniques Website legitimacy assessment Outlook email security vulnerabilities Link preview rendering bugs NGINX buffer overflow vulnerabilities Heap-based buffer overflow exploits Address Space Layout Randomization (ASLR)Arbitrary code execution risks Cisco SD-WAN controller security Authentication bypass vulnerabilities CVSS scoring and critical vulnerabilities Proof-of-concept exploit development Linux distribution security patching Phishing URL obfuscation Zero-day exploitation in the wild

Companies

Released patches for four NGINX vulnerabilities disclosed by Depth First security researchers

Cisco

Patched critical 10.0 CVSS authentication bypass vulnerability in Catalyst SD-WAN controller already exploited in the...

Depth First

AI code security company that discovered and disclosed four vulnerabilities in NGINX to F5

eBay

Fraudulent websites identified stealing product images from eBay listings to appear legitimate

Microsoft Outlook

Email client vulnerability where junk folder link preview feature fails to display URLs missing protocol schemes

People

Johannes Ulrich

Host of SANS Stormcast daily cybersecurity podcast recording from San Diego, California

Joshua Nicholson

Wrote diary on detecting fraudulent websites by analyzing design, stolen images, and testing with limited credit cards

Jan

Discovered Outlook junk folder vulnerability where links missing protocol schemes fail to display in URL preview

Quotes

"these are often these fairly cheap consumer goods websites that offer various items at a real good price but well don't really look quite legit"

Johannes Ulrich•Early in episode

"Joshua actually went ahead and got a specific credit card number with a very small limit of five dollars and placed an order and in some of these cases the card was immediately charged multiple times from multiple vendors"

Johannes Ulrich•Mid-episode

"This could be a problem because users are getting used to looking at the junk folder to better figure out what a particular message may be attempting to accomplish, whether it is a real message or spam or phishing"

Johannes Ulrich•Outlook vulnerability discussion

"Proof of concept doesn't quite work with common Linux distributions, but well, only some changes are likely required to make it work"

Johannes Ulrich•NGINX vulnerability discussion

"It's an off-vocation bypass vulnerability that got the distinction of a perfect 10.0 CVSS score. And yes, it's already exploited in the wild."

Johannes Ulrich•Cisco vulnerability discussion

Full Transcript

Hello and welcome to the Friday, May 15, 2026 edition of the SANS Intelligent Storm Standards Stormcast. My name is Johannes Ulrich, recording today from San Diego, California. And this episode is brought to you by the SANS.edu Graduate Certificate Program in Penetration Testing and Ethical Hacking. Well, today we have actually two diaries to talk about. The first one comes again from one of our undergraduate interns. Joshua Nicholson is writing about how to essentially inspect a website to see if it may be fraudulent. These are often these fairly cheap consumer goods websites that offer various items at a real good price but well don't really look quite legit in part because of sort of the design and the way the sites are created so it's always a little bit difficult to figure out if they actually offer a valid product or if they are really just interested in scamming you. Well in this particular case Joshua offers a couple of hints that point to scam sites like for example where product images were stolen from eBay listings and the like and also tends of as the ultimate proof Joshua actually went ahead and got a specific credit card number with a very small limit of five dollars and placed an order and in some of these cases in some of these websites well the card was immediately charged multiple times from multiple vendors for various amounts that were not necessarily related and anything close to the cost of the item advertised on the site so real good work and i think that's useful kind of as sort of a test of quick sanity checks on a website to figure out if it may be legitimate or not now going all the way and actually trying to order something using some credit card number that's probably too much for most people but even the other hints are quite good in order to sort of do a quick triage on any deal that may look a little bit too good and Jan came across an interesting bug or dare I say vulnerability in Outlook. Outlook if you are placing a message in the junk folder has the nice property of actually removing some the formatting from the message making it easier to see what for example links are hiding now jan did just that he had a spam message in the junk folder but apparently the links were not displaying at all basically the url that the link linked to the issue here apparently was that these links were missing the scheme or protocol so the http colon slash slash prefix it just started with the host name followed by the remainder of the url while these type of links are still working basically https is then used as a default protocol in this case when you click on the link this does make a tagline invalid url and it looks like outlook in the junk folder will not display these urls because they don match the pattern that Outlook is expecting for the URLs This could be a problem because users are getting used to looking at the junk folder to better figure out what a particular message may be attempting to accomplish, whether it is a real message or spam or phishing as in this case. And without the URL being displayed correctly, this of course is just getting more difficult. And researchers from AI code security company Depth First have released a blog post with details regarding four vulnerabilities in NGINX. These vulnerabilities were disclosed to F5 and today in sync with the release of the blog post, F5 also released patches for NGINX. I already have seen some of these patches also hit major Linux distributions. There are four different vulnerabilities that Depthverse has uncovered. One of them particular sticks out and deserves some attention. It's a heap-based buffer overflow in the rewrite module and this vulnerability can lead to arbitrary code execution. The one caveat here is that the proof of concept being released so far only works if ASLR, the address space layout randomization, is not enabled. Usually for Linux distributions, this is enabled. So you have a little bit extra time left here until attackers are finding the actual exploit that also supports systems with ASLR ASLR and Depth First stated that they believe this flaw is exploitable with ASLR enabled It may however require a good number of requests to make the exploit work So proof of concept is released. Proof of concept doesn't quite work with common Linux distributions, but well, only some changes are likely required to make it work with common Linux distributions. This is definitely sort of one of those patches that you want to get a handle on probably before the weekend if possible. But I know it's not always that easy to update your web server. But again, major Linux distributions have patches available. And well, if you're not running NGINX and you have some extra time this Friday, there is also a new critical vulnerability that was patched by Cisco in the Catalyst SD-WAN controller. It's an off-vocation bypass vulnerability that got the distinction of a perfect 10.0 CVSS score. And yes, it's already exploited in the wild. So definitely take a look at the advisory published by Cisco. They also have some guidance here as to what to do if you believe that you're compromised. And no workaround here other than applying the patch. well this is it for today so thanks again for listening thanks for liking thanks for sharing this podcast with your friends and there will be no podcast on monday to my travel schedule so talk to you again on tuesday bye