Cybercriminal Posed as 'Helpful' Stack Overflow User To Recommend Malware Hosted on PyPi (bleepingcomputer.com) 43
An anonytmous reader shared a recent report from BleepingComputer:
Cybercriminals are abusing Stack Overflow in an interesting approach to spreading malware — answering users' questions by promoting a malicious PyPi package that installs Windows information-stealing malware... "We further noticed that a StackOverflow account 'EstAYA G' [was] exploiting the platform's community members seeking debugging help [1, 2, 3] by directing them to install this malicious package as a 'solution' to their issue even though the 'solution' is unrelated to the questions posted by developers," explained Sonatype researcher Ax Sharma in the Sonatype report.
Sonatype's researcher "noticed that line 17 was laden with ...a bit too many whitespaces," according to the report, "in turn hiding code much further to the right which would be easy to miss, unless you notice the scroll bar. The command executes a base64-encoded payload..."
And then, reports BleepingComputer... When deobfuscated, this command will download an executable named 'runtime.exe' from a remote site and execute it. This executable is actually a Python program converted into an .exe that acts as an information-stealing malware to harvest cookies, passwords, browser history, credit cards, and other data from web browsers. It also appears to search through documents for specific phrases and, if found, steal the data as well.
All of this information is then sent back to the attacker, who can sell it on dark web markets or use it to breach further accounts owned by the victim.
Sonatype's researcher "noticed that line 17 was laden with ...a bit too many whitespaces," according to the report, "in turn hiding code much further to the right which would be easy to miss, unless you notice the scroll bar. The command executes a base64-encoded payload..."
And then, reports BleepingComputer... When deobfuscated, this command will download an executable named 'runtime.exe' from a remote site and execute it. This executable is actually a Python program converted into an .exe that acts as an information-stealing malware to harvest cookies, passwords, browser history, credit cards, and other data from web browsers. It also appears to search through documents for specific phrases and, if found, steal the data as well.
All of this information is then sent back to the attacker, who can sell it on dark web markets or use it to breach further accounts owned by the victim.
Where's the feds? (Score:2, Insightful)
They're just gonna allow people to do this stuff?
Re:Where's the feds? (Score:5, Informative)
What the hell is the US law enforcement going to do for someone who is likely not inside their jurisdiction? If the Feds got involved every time some person got duped, they'd be busy reeducating fools. Which we already have a place for that, it's called school.
What this is, is a great lesson for folks who blindly accept the words of unknown folks online. There's a super simple solution to this that doesn't require taxpayer money going to an alphabet soup agency for shit these people should have learned in elementary school.
Don't believe everything you read on the internet.
- Abraham Lincoln
Perhaps the folks who are affected will get this concept stuck inside that gray thing between their ears. One can only hope, even if it's a fool's hope in this case.
Hope they don't train LLMs on SO (Score:3)
Can't wait for the first time an LLM "helps" a user by just vomiting up malware install instructions.
Re: Hope they don't train LLMs on SO (Score:4, Interesting)
Re: (Score:1)
Re: (Score:1)
haha but ending your life is "a" solution to depression. I wouldn't call it a good solution but it's a solution. A permanent solution to a temporary problem.
Re: (Score:2)
You just know that this malware was included in some AI training sets...
On the bright side, since AI doesn't actually have intelligence or understanding, it will likely screw up the malware by rewriting it so that it doesn't work.
Know what you are doing. (Score:5, Insightful)
Everyone wants a quick shortcut to everything. AI will make this worse. There really is no better replacement for Actually Knowing What You Are Doing, and there never will be.
Re: (Score:2)
Indeed. But there is no way to make that clear to most people, because they are intellectually lazy as well.
We really are accelerating the division of IT into technicians (can use AI and has some minimal skills besides that) and engineers (a small minority that actually knows what they are doing). As technicians become less and less valuable, more and more of them will face unemployment.
Re: (Score:2)
Re: (Score:2)
But knowing what you're doing is HARD. Copy/pasting someone else work is so much easier!
Singular? (Score:4, Insightful)
This isn't the first time someone on the internet gives bad advice now is it.
Re: Singular? (Score:1)
Quite a difference between someone trying to help but getting it wrong and someone actively posting wrong answer, or even worse, like in this case, intentionally trying to wreak havoc and to exploit the one(s) looking for answers.
Re: Singular? (Score:2)
It's not the first time someone uses social engineering as a way to spread malware. It might be the first time that behavior has been seen on StackOverflow.
we all know (Score:5, Informative)
Yet we all do it...
https://thejh.net/misc/website... [thejh.net] , at the time of writing, this was a safe toy to demonstrate this.
Even though I know about this, and remind myself regularly, I still do paste into the terminal.
Re: (Score:3, Informative)
I see what I'm missing
the point.
Re: (Score:3)
Yet we all do it... https://thejh.net/misc/website... [thejh.net] , at the time of writing, this was a safe toy to demonstrate this.
Even though I know about this, and remind myself regularly, I still do paste into the terminal.
I didn't try pasting what you linked to - the prospect gave me the heebie jeebies. On those rare occasions when I do paste commands into the terminal, I always read, parse out, and (mostly at least) understand the content. I do that both before and after pasting. And the terminal window saves my ass if there's a CR, by warning me of an unsafe paste. I've been thankful for that on several occasions.
Re: (Score:3)
Reading and understanding the command on the page wouldn't help here, unless you read and understand the final contents of your clipboard... ;)
Go view the source
Re: (Score:2)
Reading and understanding the command on the page wouldn't help here,
Guess I'm getting old. I can't read the stuff sized at -100px. ;-)
Re: (Score:2)
Reading and understanding the command on the page wouldn't help here, unless you read and understand the final contents of your clipboard... Go view the source ;)
I just tried it - in a text editor first, where all the extra text showed up. After that, I pasted it into a terminal window, and got an "unsafe paste" warning popup which showed all the extra stuff my text editor had already revealed.
xfce4-terminal FTW!
Re: (Score:2)
Anybody that does not want to try this (which is a good idea), just use "view source".
Re: (Score:2)
Hah! Fooled them.
I copy/paste into a vi session.
Just waiting until some hacker includes an ESC and a shell command. :-(
In other news, (Score:2)
the mean IQ of the Stack Overflow users that has been falling for years has crossed a threshold meaning that such attacks are now feasible.
Stack Overflow of the User (Score:2)
We all know, "Stack Overflow" refers to what happens in the user's brain :)
This is a big problem. (Score:5, Funny)
Fortunately there's a plugin available [chromewebstore.ru] for Chrome that automatically detects and warns about known phishing and malware attempts, and which is pretty responsive to such threats.
Re:This is a big problem. (Score:5, Funny)
I tried that, but I get an error saying the rootkit won't run on my Apple ][.
Re: (Score:2)
LOL
Re: (Score:2)
Funny. Nice .ru extension on that URL... :-)
Difficult to replicate (Score:4, Funny)
The real achievement here is someone managing to get an answer onto Stack Overflow. That makes the exploit very difficult!
The easiest target to Hack (Score:4, Insightful)
SO is a tool (Score:2)
SO is a tool like any other. (Yes, as are LLMs.)
Yes, you can cut your hand off with a tool, if you use it blindly/stupidly. So ... don't do that.
Just taking a "tools are evil" stance is just as stupid though.
Re: (Score:3)
Did anyone claim that SO is evil? (If so, I missed it.) This seems much more like a warning. To extend your analogy, they're saying "it's easy to accidentally cut off your hand when you do this specific thing, so pay attention when you're doing that thing".
Re: (Score:3)
While I agree, some tools are "experts-only" because they are too dangerous for regular people.
This is exactly why I ... (Score:1)
... don't just copy or take over anything from Stack Overflow.
Meh... (Score:3)
Another example of social engineering - and a pretty unsophisticated one at that. All of us occasionally learn something the hard way.
I feel bad for anyone who got pwned this way; but the upside is that they'll probably refrain from doing it again. Or they'll win a Darwin award. Either way, it's a self-limiting problem.
Re: (Score:2)
Indeed. It is more like the attacker wanted to see whether people are really this stupid. And look, they are.
Feeding OpenAI (Score:2)
Betcha the goal is to train OpenAI on these.
And, seriously, anybody here could do better on the actual SE attack.
Save us both the trouble (Score:1)
See the best new exciting insight on this subject the internet has to offer here: www.dumbass.net. Or save us both the trouble and just snail mail us cash.
Remember when people posted fork bombs? (Score:3)
Re: (Score:2)
Almost as if the Internet is just a reflection of the offline world. People are horrible.
And water is wet /s (Score:2)