Comment by theamk

Comment by theamk 8 hours ago

29 replies

View on Hacker News

Do people really fall for scam like that?

First, I assume the author knows the email came from github, as the screenshot does not show this very clearly. If that's the case:

Red flag #1: email links to a variation of real domain. If you don't have information on who github-scanner.com is, it is pretty safe to assume it's a scam , just because it sounds like a real website.

GIANT Enormous Huge Red Flag #2: captcha asks you to types command in shell. I have no comment on how naive one must be to do this.

thih9 10 minutes ago

If this was within my first year of owning a GitHub account, I would absolutely fall for this.

It's not much different from setting up your ssh key - something that you have to do; and new users also go through this workflow by copy pasting commands that GitHub sends them.

Reply View 0 replies
thephyber 7 hours ago

It’s a numbers game.

Nobody is perfect. The more features of credibility, most likely there will be a higher percentage of conversions. But not everybody has excellent vision, is not time-pressured, and is not tired/exhausted.

There are lots of conditions that make otherwise difficult fraud targets more easy to trick.

And if it can be done at large scale / automated, then small conversion rates turn into many successful frauds (compromised accounts).

Reply View 1 reply
  • szundi 43 minutes ago

    Thanks for this summary. People often forget they (hopefully) have grandmas and themselves sometimes making mistakes as well for -- whoever knows what reason. Sometimes.

    Reply View 0 replies
latexr 6 hours ago

A few weeks ago someone opened an issue in one of my repos. In under a minute two accounts replied with links to file lockers asking the user to download and try some software to solve their issue. No doubt it was malware. I promptly deleted the comments and reported the accounts to GitHub.

I wouldn’t have fallen for such an obvious ploy, but the original asker seemed like they weren’t particularly technical, judging by the sparse GitHub history and quality of the question. I could see them perhaps falling for that if they were uncritical and too eager to try anything.

Reply View 0 replies
ceejayoz 7 hours ago

Email from a different domain is unfortunately quite common. Citi and PayPal both do it for some emails. Pisses me off every time.

Reply View 1 reply
  • szundi 41 minutes ago

    I just don't get it, how hard it could be? How expensive this could be? Because lots of times they just pay these damages to the customer, because no one knows how this very secure credit card data was compromised. This baffles me. Someone, please enlighten us, there must be a valid reason - at least from an angle.

    Reply View 0 replies
eviks 2 hours ago

> Red flag #1: email links to a variation of real domain

It's too common, MS also does this, to be a red flag

Reply View 0 replies
mewpmewp2 7 hours ago

I can understand clicking on the link while not paying attention, but I do wonder how many people who are signed up on GitHub would follow through with pasting this command. I could understand if elderly non technical people might follow up with it, but this one, I wonder what the rate is.

Reply View 2 replies
  • hmottestad 22 minutes ago

    Just clicking on the link might be enough. Maybe you have a slightly outdated browser with a known vulnerability. Maybe you’re holding off on installing an update just to be sure it won’t break anything.

    And even if everything is up to date Pwn2Own regularly shows that having a user browse to a website is enough to get root access. Thankfully most people don’t have to worry about this since they are unlikely to attract the attention of someone with that level of resources.

    Reply View 1 reply
    • hmottestad 19 minutes ago

      If I had those kinds of resources I might even put a captcha on the site that asks the user to do something incredibly stupid just to make them think they were in the clear.

      Reply View 0 replies
zahlman 3 hours ago

Not only does it ask you to copy and paste a command in shell, but Windows apparently warns you that it will run with admin privileges.

Aside from that:

> Nowhere in the email does it say that this is a new issue that has been created, which gives the attacker all the power to establish whatever context they want for this message.

What about the non-user-controlled "(Issue #1)" in the subject line?

Reply View 0 replies
sureglymop 34 minutes ago

Just to let you know, even github themselves use multiple domains instead of just subdomains of github.com (see githubnext.com).

So, I wouldn't blame the victims here if the service itself does not realize why that is not such a good idea.

Reply View 1 reply
  • 8n4vidtmkvmk 12 minutes ago

    Yeah.. I don't like when companies do that. I usually Google the domain first to see if it's legit, but even that isn't foolproof.

    Reply View 0 replies
fijiaarone 7 hours ago

Everyone has been trained for years to do this:

curl http://obscure.url?random-string | sh

Reply View 13 replies
  • dullcrisp 7 hours ago

    If there were a legitimate looking GitHub how-to page that asked me to do that, I can see myself doing it. Fortunately, I ignore all security issues on my repositories.

    Reply View 1 reply
  • umanwizard 6 hours ago

    No they haven’t, they’ve been trained to do

        curl https://url-of-well-known-project | sh
    I may not trust the owners of a random domain, but I certainly trust the owners of rustup.rs not to do anything intentionally malicious.
    Reply View 0 replies
  • kurisufag 7 hours ago

    people make a lot of noise about piping into shell, but even if the instructions were

    wget random.club/rc-12-release.sh

    chmod +x ./rc-12-release.sh

    ./rc-12-release.sh

    almost nobody would actually read the script before running it

    Reply View 3 replies
    • dullcrisp 6 hours ago

      Well yeah, if your intention is to install software from random.club on your system, what would be the point of checking the installer script? The worst thing it can do is the same thing you want it to do.

      Reply View 2 replies
  • micw 2 hours ago

    Another red flag. I cannot take any project serious that has this on its documentation.

    Reply View 3 replies
    • umanwizard an hour ago

      I guess you don’t think the Rust programming language is a serious project, then?

      Reply View 0 replies
    • kadoban an hour ago

      You prefer that they wrap it in an .msi file and put it on that same website? What do you think the advantages of that are?

      Reply View 0 replies
    • d0mine an hour ago

      what is the more secure way in you opinion? What is the weak link here? TLS transport? possibly compromised hosting/codebase? trust in app authors? not reading the shell script? checking a signature of some file?

      Reply View 0 replies
lgats 6 hours ago

re #1: the email could link to a github pages site hosting the same malware...

re #2: it doesn't really have you typing into shell, 'just paste'

Reply View 0 replies
mixtureoftakes 7 hours ago

Honestly i would have typed commands in shell if "captcha" asked me for it. Just to see the scale of outcome's awfulness.

I'm almost bored enough to just start installing weird malware for research and funsies

Reply View 0 replies