Windows PowerShell Phish Uses Fake CAPTCHA, Downloads Credential Stealer

"Many GitHub users this week received a novel phishing email warning of critical security holes in their code," reports Krebs on Security — citing an email shared by one of his readers: "Hey there! We have detected a security vulnerability in your repository. Please contact us at https://github-scanner[.]com to get more information on how to fix this issue...." Clicking the "I'm not a robot" button generates a pop-up message asking the user to take three sequential steps to prove their humanity. Step 1 involves simultaneously pressing the keyboard key with the Windows icon and the letter "R," which opens a Windows "Run" prompt that will execute any specified program that is already installed on the system.

Step 2 asks the user to press the "CTRL" key and the letter "V" at the same time, which pastes malicious code from the site's virtual clipboard. Step 3 — pressing the "Enter" key — causes Windows to launch a PowerShell command, and then fetch and execute a malicious file from github-scanner[.]com called "l6e.exe...." According to an analysis at the malware scanning service Virustotal.com, the malicious file downloaded by the pasted text is called Lumma Stealer, and it's designed to snarf any credentials stored on the victim's PC.
Even though this might fool some users, Krebs points out that Microsoft "strongly advises against nixing PowerShell because some core system processes and tasks may not function properly without it. What's more, doing so requires tinkering with sensitive settings in the Windows registry..."

Thanks to long-time Slashdot reader sinij for sharing the article.

This is daft

[DesertNomad]

OMG. Here user, here's the instructions to let me hack your computer.

Re:

[gweihir]

Being clueless comes with increased risk in life. This applies to small and big things.

PowerShell for Linux

[NotEmmanuelGoldstein]

... GitHub users ...

If you're not smart enough to recognize an 'execute' command, you're not smart enough to own a GitHub account.

With the Linux UI now being Windows-like, does this work (assuming PowerShell for Linux is installed)?

Re:

[Bert64]

You wouldn't need powershell, the same thing could be achieved in bash on linux just as easily. The difference is that linux users are on average more tech savvy and wouldn't fall for it.

What it really shows is that neither windows not linux are suitable systems for such users, and they would be better off with a walled garden system like ios or chromeos.

Re:

[rta]

not a windows dev, but I think i fell for a joke Ctrl-W once, and almost for an Alt+F4. It's one of those things that if you haven't encountered and if it hits you when you're not paying full attention or something, i think it can get you. especially since Ctrl-V since prob many people don't even think "Ctrl-V" for paste ... they think "paste".

Nowadays i think there should prob. be more default indication of what's in the clipboard / when the clipboard content changes. (although there is some sens

Probably works well on the average Windows "dev"

[gweihir]

These people are not very smart, after all. That apparently some want to remove PowerShell as a "countermeasure" just makes this even more obvious.

Re:

[Bert64]

That's the typical clueless kneejerk response, block/remove something useful instead of learning how to use it properly.

Idiots

[lsllll]

Why was removing PowerShell even suggested? Why not just give instructions to remove the web browser and the email client? Problem solved!

Re: Idiots

[madbrain]

Have you tried to uninstall Edge lately ?

This is a big flaw in many OSes

[Anonymous Cward]

Every system should have implemented mandatory access controls to mitigate this type of thing by now. It shouldn't be that easy to get at the private data of end users without them knowing what application is requesting access, and them directly approving said access.

Android, iOS, ChromeOS and even macOS got this right by providing cryptographically immutable base systems with the majority of running processes forbidden from touching users private data by default. Executing malware on these systems is no

Re:

[lsllll]

Every system should have implemented mandatory access controls to mitigate this type of thing by now.

It's not about access control. Both Windows and Linux try to separate administrative access from user access and for those who know the difference and how to use them, they pretty much work. But you gotta realize that a user must have access to their local directory, should be able to download files, and be able to execute them. If you don't allow them to do that, then you're not going to be considered a "user-friendly" O/S.

It shouldn't be that easy to get at the private data of end users without them knowing what application is requesting access, and them directly approving said access.

If a user is dumb enough to follow instructions as introduced by this hack, they

Re:

[Jeremi]

a user must have access to their local directory, should be able to download files, and be able to execute them.

The problem (not only for naive users, but for all users) is how to know whether the executable they are downloading and executing will do what they expect vs something malicious?

Sure, in a scenario like this it is easy to scoff and say that the user should have picked up on the obvious clues, but it's not difficult to imagine a scenario where the methods for convincing the user to install and execute a malicious executable are sophisticated enough to fool even the most knowledgable user. For example, one

Re:

[The MAZZTer]

I would say that the PC is an "open" platform while iPhone is a "closed" platform, with other platforms being in various places on the scale between the two.

The more "open" a platform is the more things a user can do with it, which opens up more risk to an uneducated user being exploited through social engineering, and there's nothing developers can do to mitigate this without compromising the openness of the platform. Either the user should move to a more limited closed platform for their own safety, givi

Re:

[The MAZZTer]

To be clear I agree with my parent post, I am just trying to distill it down.

Re:

[Bert64]

should be able to download files, and be able to execute them

On a general purpose OS aimed at geeks sure, on a consumer device no they shouldn't at least not by default.