Comment by theamk

Comment by theamk 10 months ago

77 replies

Do people really fall for scam like that?

First, I assume the author knows the email came from github, as the screenshot does not show this very clearly. If that's the case:

Red flag #1: email links to a variation of real domain. If you don't have information on who github-scanner.com is, it is pretty safe to assume it's a scam , just because it sounds like a real website.

GIANT Enormous Huge Red Flag #2: captcha asks you to types command in shell. I have no comment on how naive one must be to do this.

thephyber 10 months ago

It’s a numbers game.

Nobody is perfect. The more features of credibility, most likely there will be a higher percentage of conversions. But not everybody has excellent vision, is not time-pressured, and is not tired/exhausted.

There are lots of conditions that make otherwise difficult fraud targets more easy to trick.

And if it can be done at large scale / automated, then small conversion rates turn into many successful frauds (compromised accounts).

  • acomjean 10 months ago

    I think they’re hoping for coincidences and the higher the numbers the more likely they’ll find one.

    I got a real letter from the IRS two days before I got the scam message on my answering machine. The timing was uncanny and I might easily have fallen for it, had I not already dealt with it.

    It’s the same for the Chinese language calls, if you speak Chinese it really resonates.

    There was a scam in the 90s where you’d call a number and they’d give you sports betting advice. They’d do it for free as a promotion trying to sell their service when you won. They’d tell half the callers bet team A and the other half team B. The numbers made it work.

    “Splitting games 50-50 like that—known in the biz as "double-siding"—is the oldest trick in the handicapper's very thick book. That way he knows he has at least some happy customers coming back. “

    https://vault.si.com/vault/1991/11/18/1-900-ripoffs-the-ads-...

  • generic_dev_47 10 months ago

    Agree, I once fell for a scam that I think I otherwise wouldn't because of string of circumstances: Being tired and stressed, it being Christmas time and I had actually ordered stuff but also because I had just upgraded iOS to the first version that put the address bar in Safari on the bottom of the screen instead of the top so I forgot to check the domain!

    I've since changed the address bar back to the top…

    In the end I didn't loose anything but it was a good wakeup call for sure.

  • szundi 10 months ago

    Thanks for this summary. People often forget they (hopefully) have grandmas and themselves sometimes making mistakes as well for -- whoever knows what reason. Sometimes.

thih9 10 months ago

If this was within my first year of owning a GitHub account, I would absolutely fall for this.

It's not much different from setting up your ssh key - something that you have to do; and new users also go through this workflow by copy pasting commands that GitHub sends them.

  • jampekka 10 months ago

    A prime example how all the paranoid security hoops can easily make things more insecure in aggegate.

    Since Microsoft embracing and extending it, GitHub has become one of the worst offenders.

latexr 10 months ago

A few weeks ago someone opened an issue in one of my repos. In under a minute two accounts replied with links to file lockers asking the user to download and try some software to solve their issue. No doubt it was malware. I promptly deleted the comments and reported the accounts to GitHub.

I wouldn’t have fallen for such an obvious ploy, but the original asker seemed like they weren’t particularly technical, judging by the sparse GitHub history and quality of the question. I could see them perhaps falling for that if they were uncritical and too eager to try anything.

ceejayoz 10 months ago

Email from a different domain is unfortunately quite common. Citi and PayPal both do it for some emails. Pisses me off every time.

  • szundi 10 months ago

    I just don't get it, how hard it could be? How expensive this could be? Because lots of times they just pay these damages to the customer, because no one knows how this very secure credit card data was compromised. This baffles me. Someone, please enlighten us, there must be a valid reason - at least from an angle.

    • sofixa 10 months ago

      Having a bunch of different domains can serve multiple purposes.

      In GitHub's case, they already have githubusercontent.com to avoid serving untrusted stuff from their own github.com domain.

      Sending marketing or security scanner (potentially very spammy) notification emails from separate domains can help with reputation too, to avoid your main domain getting marked as spam.

      These are all legit; Amex having 20 different of domains, half of which smell like phishing, and still sending emails from other domains is just incompetence. Something like marketing people or someone dealing with strategy deciding to do stuff in a certain way, with nobody technical in the room to tell them why that would be a problem. As an example, a friend of mine's organisation wanted to do a SaaS website for their niche, and a separate website to advertise the SaaS (separate domain, visual identity, everything).

      • progval 10 months ago

        My theory for most of these cases: they would need permission from who knows what department(s) to set up a subdomain of the main domain for their project, and it's easier to just purchase a new domain for the team/project.

        • Zopieux 10 months ago

          Nailed it. This is 100% pragmatism/convenience-based decision making rooted in terrible culture, red tape, bad communication and dumb org charts.

  • m3047 10 months ago

    Keep your SPF simple. Otherwise, make sure it works. Aaand, how many people actively monitor their DNS infrastructure?

obscurette 10 months ago

I'm old enough to remember ILOVEYOU. During years after that I have seen millions and millions thrown into educating users not to click on wrong things.

Last month I was in conference where the keynote was from CEO of cyber security company. The whole point of the speech was that we need more money because in some cases more than 80% users still fall into email scams. My very serious question to the speaker was - if after many millions and almost 25 years more than 80% users still click on wrong links, then maybe we do something really wrong?

  • bugtodiffer 10 months ago

    We are, but people want convenience.

    Try to get a company built around Word to use another tech that doesn't requires running unsigned macros from emails...

    You literally can't, they lough at you for saying things like "don't use Microsoft"

    • [removed] 10 months ago
      [deleted]
  • guappa 10 months ago

    They measure by clicks… but clicking a link doesn't mean you'll follow through and put in your username, password, and 2fa code.

    Ultimately he's a businessman seeking for more money. Doesn't mean he can be trusted.

    • kayodelycaon 10 months ago

      In my opinion, these products are nothing but scams. I can’t use any links from work emails on my phone because I can’t see the domain of a link without previewing the page. IT told me I needed to change system-wide settings to disable previewing webpages in every app on my phone. Not happening.

      Fortunately, my work email supports IMAP, so I can use a script to scan my inbox for fake phishing emails and delete them.

  • mnau 10 months ago

    We are not not doing anything wrong, but we are completely neglecting the attacker side.

    All our actions are defensive.

    Look at our physical security. Basically nothing is reasonably protected. 99% of stuff (buildings, locks) can be broken into with tools available in any home depot.

    The key reason why it doesn't happen that much is because it's possible to find the attacker.

    Why can any scammed just create a website without any traceability? It wouldn't be foolproof, but it would raise a bar.

    • chii 10 months ago

      > Why can any scammed just create a website without any traceability?

      because jurisdictional challenges.

      Not to mention that this very same traceability would be abused by some other authoritarian gov't to track down dissidents for example.

      There's no real way to systematically have good security, if the human element is the weakest link tbh. Securing windows is not a technical problem, but a social and educational one.

      • mnau 10 months ago

        More like no will.

        Does the domain/server implements required level? No? Block connection. Dtto email with automatic response.

        Is your IP in a botnet? Cut it off.

        Edit: I already get blocked connection (on target site) because EU regulation is too onerous. I get reminded on basically every Google search I am being censored (Some results may have been removed under data protection law in Europe).

        Completely doable.

    • unethical_ban 10 months ago

      Do you think people should have to get permission to host a server on the internet?

prmoustache 10 months ago

> GIANT Enormous Huge Red Flag #2: captcha asks you to types command in shell. I have no comment on how naive one must be to do this.

I guess critical thinking of devs and wannabee devs has been softened by all the `curl <script> | bash` installation instructions.

  • d3nj4l 10 months ago

    Yeah exactly, I do that all the time when filling captcha!

edelbitter 10 months ago

They do. Just after seeing instructions to run this, and complying:

> curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

(Yup, .rs is the ccTLD for the Republic of Serbia, of former SFR Yugoslavia)

chii 10 months ago

> captcha asks you to types command in shell. I have no comment on how naive one must be to do this.

someone who knows computers (like a programmer) might not fall for it, but people who do not know computers, but is dabbling could easily fall for it.

The copied command specifically puts in a "user friendly captcha message" into the end, to overflow the run dialog textbox, so that a user who obeyed the instructions will see something vaguely resembling valid captcha verification:

   # " ''I am not a robot - reCAPTCHA Verification ID: 93752"

Phishing and scams are not about catching out pros, but catching out "normies".

It's quite scary that the scammers have put thought and effort into the method of infiltration, because this is "novel" as far as i have heard.

mewpmewp2 10 months ago

I can understand clicking on the link while not paying attention, but I do wonder how many people who are signed up on GitHub would follow through with pasting this command. I could understand if elderly non technical people might follow up with it, but this one, I wonder what the rate is.

  • hmottestad 10 months ago

    Just clicking on the link might be enough. Maybe you have a slightly outdated browser with a known vulnerability. Maybe you’re holding off on installing an update just to be sure it won’t break anything.

    And even if everything is up to date Pwn2Own regularly shows that having a user browse to a website is enough to get root access. Thankfully most people don’t have to worry about this since they are unlikely to attract the attention of someone with that level of resources.

    • hmottestad 10 months ago

      If I had those kinds of resources I might even put a captcha on the site that asks the user to do something incredibly stupid just to make them think they were in the clear.

    • mewpmewp2 10 months ago

      Yeah, I think the barrier to get people to just click on a link (outside of e-mail as well) is very low, so that would be easy to affect anyone.

maicro 10 months ago

All valid points, but I will say services don't help in this situation - I received an email from @redditmail.com recently, which is real and part of reddit but feels off on first glance.

Couple that with gmail having no way to show the full email address (by default - I know you can hover, etc.), rather than the sender-provided "sender name", and my false-positive rate for at least double checking and confirming the sending domain is kinda high...better that than a bunch of false-negatives of course.

eviks 10 months ago

> Red flag #1: email links to a variation of real domain

It's too common, MS also does this, to be a red flag

Dibby053 10 months ago

>GIANT Enormous Huge Red Flag #2: captcha asks you to types command in shell. I have no comment on how naive one must be to do this.

Funnily enough there's at least one legit captcha that has you do this: if you have JavaScript/WASM disabled it gives you the option of running the anti-DDOS proof-of-work in a shell and pasting the result in a textbox.

me-vs-cat 10 months ago

> Do people really fall for scam like that?

You should put a "voice activated" sticker on a random break room appliance (toaster, water/ice dispenser, microwave, coffee machine, ...).

Don't use strong adhesive if your desk is within hearing distance.

antimemetics 10 months ago

You assume the scammers want everyone to fall for this trick.

The reality is different - they leave these huge red flags so that people who aren’t very bright or careful will fall for it.

That is the same reason why scammers put spelling mistakes in emails - not because they don’t know how to use spellcheck, but because they want to filter out those who would spot these mistakes.

They want to scam careless, gullible, „stupid“ people, not someone who is careful enough to spot security red flags.

godelski 10 months ago

  > Do people really fall for scam like that?
I routinely get people opening issues on my projects asking where the source code is or how to fine tune their models on different data or even how to install pytorch.... There's a lot of people on GitHub that don't know the first thing about coding. There's a lot of people on GitHub that don't know how to use Google... This even includes people with PhDs...
zahlman 10 months ago

Not only does it ask you to copy and paste a command in shell, but Windows apparently warns you that it will run with admin privileges.

Aside from that:

> Nowhere in the email does it say that this is a new issue that has been created, which gives the attacker all the power to establish whatever context they want for this message.

What about the non-user-controlled "(Issue #1)" in the subject line?

Stratoscope 10 months ago

Red flag #3: "Github Security Team"

A legitimate GitHub email would never mis-capitalize the company name like that. It would be GitHub, as shown in the footer that the attacker does not control.

OTOH, this is a very common mistake. The article alternates between the correct GitHub and the incorrect Github. So it would be easy to not notice that error.

voytec 10 months ago

> Do people really fall for scam like that?

Yes. It wouldn't be a thing otherwise. I know at least two fairly intelligent people, one literally being a Mensa member, who fell for sextortion emails and got their files encrypted.

Scareware is based on social engineering, and is crafted to trigger emotional response, not educated one.

sureglymop 10 months ago

Just to let you know, even github themselves use multiple domains instead of just subdomains of github.com (see githubnext.com).

So, I wouldn't blame the victims here if the service itself does not realize why that is not such a good idea.

  • 8n4vidtmkvmk 10 months ago

    Yeah.. I don't like when companies do that. I usually Google the domain first to see if it's legit, but even that isn't foolproof.

lgats 10 months ago

re #1: the email could link to a github pages site hosting the same malware...

re #2: it doesn't really have you typing into shell, 'just paste'

mixtureoftakes 10 months ago

Honestly i would have typed commands in shell if "captcha" asked me for it. Just to see the scale of outcome's awfulness.

I'm almost bored enough to just start installing weird malware for research and funsies

fijiaarone 10 months ago

Everyone has been trained for years to do this:

curl http://obscure.url?random-string | sh

  • dullcrisp 10 months ago

    If there were a legitimate looking GitHub how-to page that asked me to do that, I can see myself doing it. Fortunately, I ignore all security issues on my repositories.

  • umanwizard 10 months ago

    No they haven’t, they’ve been trained to do

        curl https://url-of-well-known-project | sh 
    
    I may not trust the owners of a random domain, but I certainly trust the owners of rustup.rs not to do anything intentionally malicious.
    • account42 10 months ago

      Then you are more trusting of the Serbian National Internet Domain Registry than you should be.

    • guappa 10 months ago

      Microsoft owns more domain names than the amount of neurons in the brain.

  • kurisufag 10 months ago

    people make a lot of noise about piping into shell, but even if the instructions were

    wget random.club/rc-12-release.sh

    chmod +x ./rc-12-release.sh

    ./rc-12-release.sh

    almost nobody would actually read the script before running it

    • dullcrisp 10 months ago

      Well yeah, if your intention is to install software from random.club on your system, what would be the point of checking the installer script? The worst thing it can do is the same thing you want it to do.

  • micw 10 months ago

    Another red flag. I cannot take any project serious that has this on its documentation.

    • kadoban 10 months ago

      You prefer that they wrap it in an .msi file and put it on that same website? What do you think the advantages of that are?

    • umanwizard 10 months ago

      I guess you don’t think the Rust programming language is a serious project, then?

      • guappa 10 months ago

        I mean they even named the website cargo, after cargo culting! (jk)

    • d0mine 10 months ago

      what is the more secure way in you opinion? What is the weak link here? TLS transport? possibly compromised hosting/codebase? trust in app authors? not reading the shell script? checking a signature of some file?

      • micw 10 months ago

        My issue is the bypassing of the systems package manager. Doing so will result on files spread somewhere over the system. How do you uninstall such thing properly? How do you update (or even know) it's dependencies? Will it break because I uninstall or update one of it's dependencies?

        Linux has a very good package management for many years. I see absolute no reason to break this by creating shell installers.