First, I assume the author knows the email came from github, as the screenshot does not show this very clearly. If that's the case:
Red flag #1: email links to a variation of real domain. If you don't have information on who github-scanner.com is, it is pretty safe to assume it's a scam , just because it sounds like a real website.
GIANT Enormous Huge Red Flag #2: captcha asks you to types command in shell. I have no comment on how naive one must be to do this.
Nobody is perfect. The more features of credibility, most likely there will be a higher percentage of conversions. But not everybody has excellent vision, is not time-pressured, and is not tired/exhausted.
There are lots of conditions that make otherwise difficult fraud targets more easy to trick.
And if it can be done at large scale / automated, then small conversion rates turn into many successful frauds (compromised accounts).
If this was within my first year of owning a GitHub account, I would absolutely fall for this.
It's not much different from setting up your ssh key - something that you have to do; and new users also go through this workflow by copy pasting commands that GitHub sends them.
A few weeks ago someone opened an issue in one of my repos. In under a minute two accounts replied with links to file lockers asking the user to download and try some software to solve their issue. No doubt it was malware. I promptly deleted the comments and reported the accounts to GitHub.
I wouldn’t have fallen for such an obvious ploy, but the original asker seemed like they weren’t particularly technical, judging by the sparse GitHub history and quality of the question. I could see them perhaps falling for that if they were uncritical and too eager to try anything.
I'm old enough to remember ILOVEYOU. During years after that I have seen millions and millions thrown into educating users not to click on wrong things.
Last month I was in conference where the keynote was from CEO of cyber security company. The whole point of the speech was that we need more money because in some cases more than 80% users still fall into email scams. My very serious question to the speaker was - if after many millions and almost 25 years more than 80% users still click on wrong links, then maybe we do something really wrong?
> captcha asks you to types command in shell. I have no comment on how naive one must be to do this.
someone who knows computers (like a programmer) might not fall for it, but people who do not know computers, but is dabbling could easily fall for it.
The copied command specifically puts in a "user friendly captcha message" into the end, to overflow the run dialog textbox, so that a user who obeyed the instructions will see something vaguely resembling valid captcha verification:
# " ''I am not a robot - reCAPTCHA Verification ID: 93752"
Phishing and scams are not about catching out pros, but catching out "normies".
It's quite scary that the scammers have put thought and effort into the method of infiltration, because this is "novel" as far as i have heard.
I can understand clicking on the link while not paying attention, but I do wonder how many people who are signed up on GitHub would follow through with pasting this command. I could understand if elderly non technical people might follow up with it, but this one, I wonder what the rate is.
All valid points, but I will say services don't help in this situation - I received an email from @redditmail.com recently, which is real and part of reddit but feels off on first glance.
Couple that with gmail having no way to show the full email address (by default - I know you can hover, etc.), rather than the sender-provided "sender name", and my false-positive rate for at least double checking and confirming the sending domain is kinda high...better that than a bunch of false-negatives of course.
>GIANT Enormous Huge Red Flag #2: captcha asks you to types command in shell. I have no comment on how naive one must be to do this.
Funnily enough there's at least one legit captcha that has you do this: if you have JavaScript/WASM disabled it gives you the option of running the anti-DDOS proof-of-work in a shell and pasting the result in a textbox.
You assume the scammers want everyone to fall for this trick.
The reality is different - they leave these huge red flags so that people who aren’t very bright or careful will fall for it.
That is the same reason why scammers put spelling mistakes in emails - not because they don’t know how to use spellcheck, but because they want to filter out those who would spot these mistakes.
They want to scam careless, gullible, „stupid“ people, not someone who is careful enough to spot security red flags.
I routinely get people opening issues on my projects asking where the source code is or how to fine tune their models on different data or even how to install pytorch.... There's a lot of people on GitHub that don't know the first thing about coding. There's a lot of people on GitHub that don't know how to use Google... This even includes people with PhDs...
Not only does it ask you to copy and paste a command in shell, but Windows apparently warns you that it will run with admin privileges.
Aside from that:
> Nowhere in the email does it say that this is a new issue that has been created, which gives the attacker all the power to establish whatever context they want for this message.
What about the non-user-controlled "(Issue #1)" in the subject line?
A legitimate GitHub email would never mis-capitalize the company name like that. It would be GitHub, as shown in the footer that the attacker does not control.
OTOH, this is a very common mistake. The article alternates between the correct GitHub and the incorrect Github. So it would be easy to not notice that error.
Yes. It wouldn't be a thing otherwise. I know at least two fairly intelligent people, one literally being a Mensa member, who fell for sextortion emails and got their files encrypted.
Scareware is based on social engineering, and is crafted to trigger emotional response, not educated one.
I got a much more convincing email from PayPal recently, someone sent a quote (apparently a feature that can be used unsolicited), and set their company name to something like "PayPal need to get in touch about a your recent payment of $499.00, please call +1-....", so this is most of the text at the top because their quotes email is "<name> is sending you a quote for $xxx".
This email came from the real PayPal.com, how they haven't gotten on top of usernames like that is beyond me for a payment processor. I reported it to them but haven't heard anything back, hopefully they banned that account but they should ban all names like that.
This email honestly was formatted to look like a legit PayPal email, I have to imagine that scam will trick a lot of normal people.
Get in touch, see my bio website, if you want the email.
>This email honestly was formatted to look like a legit PayPal email,
this is why anything but plain text should be blocked in emails (besides security reasons). anybody with 5 minutes of HTML experience can create "legit looking" emails.
I could see junior developers falling for this. Hey it's Github, it's legit right? We get security notifications every second months about some lib everyone uses etc.
"Oh look, captcha by running code, how neat!"
I don't think webpages should be able to fill your copy/paste buffer from a click without a content preview. They made it requiring a user action, such as clicking, thinking that would solve the problem but it's still too weak. That's problem number 1.
People need to stop actioning any links from emails and/or believing that any content in an email has legitimacy. It doesn't. That's problem number 2.
Problem number 3, Windows still let you root a machine by 1 line in powershell? What the @$$%&%&#$?
Github might need to stop people putting links in issues without being checked by automated services that can validate the content as remotely legitimate. They're sending this stuff to people's email, don't tell me they're not aware this could be used for fishing! That's cyber security 101, in 2015.
Finally, Github, in being unable to act on the above, may need to better strip what they email to people, and essentially behave more like banks "you have a new issue in this repository..." and that's that. You then go there, there is no message, ok great. That would have taken care of this issue...
Can be summarized with: Don't click on links in email.
So is github-scanner.com (and github-scanner.shop) still the same malicious party? It seems to be. Funny that their DNS is hosted by Cloudflare (who, famously, don't host anything, because they think we're all dumb). Cloudflare, who take responsibility for nothing, has no way to report this kind of abuse to them.
The domain which hosts the malware, 2x.si, both uses Cloudflare for DNS and is hosted by Cloudflare. At least it's possible to report this to Cloudflare, even though they rate limit humans and have CAPTCHAs on their abuse reporting forms.
Sigh. Thanks to Cloudflare, it's trivial these days to host phishing and malware.
I realized I have never deleted an issue I started but doesn't people with admin access the only with ability to delete the issues on a repo? [1]. So actually there is a trace for that issue in the repository. Same thing for Pull requests.
Their claim that nothing tells you the email corresponds to the new issue is wrong, the "(Issue #1)" in the title means exactly that. I have actually received the same email myself and immediately recognized it as a new issue created on the repo.
This user is obviously not used to GitHub issues as is made clear by the fact that this is the first issue on this repo. I guess GitHub needs to do a better job teaching new users.
I received one of these notifications this morning and promptly ignored it. I had to laugh because it was about this repo specifically: https://github.com/kyledrake/theftcoinjs
OMG! I was getting similar GitHub notification emails, saying detected vulnerability in your repo, but never figured it out as fake before this news, anyway I never clicked because I'm a lazy programmer :), once it's written it's written I do rewrite the code but don't find bugs and fix in my code. :D
The GitHub security alert digest[1] is a real thing. It's a feature of GitHub where they report security vulnerabilities in your project's dependencies. For example, if you use python and you have specified requests library in your requirements.txt, GitHub will send you emails about disclosed vulnerabilities in that library, urging you to upgrade to a higher version where it's fixed.
I don't understand whats special about this particular attack!>:( When I read the title I thought some automated GitHub emails were forged to sneakily point to a fake GitHub site or something. An obvious (for tech-savvy users) link pointing to an obvious malware (please copy and execute this code to solve the captcha.) If the people you are targeting fall for this why not send an old fashioned spam email with fake headers or via some hacked Wordpress installation? I guess using GitHub notifications is creative but in the end not much different than like sending a facebook message with a fake link, and the user getting an email notification with the message? The analysis of the malware once downloaded was certainly interesting, though!:)
It's quite sad that in 2024 that HN commenters still blame the victim, especially when the original author does a great job suggesting small changes that Microsoft can make to make their products safer for their users.
I turned off most GitHub emails and mostly use the Notification Centre for discovering things I need to know about. It's not entirely proof against phishing this way, but it doesn't get to use email to appear more legitimate.
An excellent slashvertisement for Virus Total. Wrapped in an important cautionary tale about how GitHub issues can be manipulated to try to spread malware.
This has happened for a while. In February of this year, the same attack vector was used in an attack to trick developers into thinking that they'd got a job offer from GitHub: https://www.xorlab.com/en/blog/phishing-on-github
It's worth checking every link you get even if it's from a trusted source, like GitHub... and to be able to restore the data, it's worth having a backup
Months ago I got crypto ads through a similar approach, some fake new account @-ing hundreds of users in an issue and then the issue is removed. The net effect is that the ads become unblockable in your email box (It's from GitHub!).
Maybe devs' target value in general has growing to a point where the openness of the system is more of a vulnerability than service.
Might want to change the image too, macOS recognises the link in that and makes it clickable. I’d say that’s more dangerous than modifying it in the text of the post, you could just as well include a non-clickable text link.
[+] [-] theamk|1 year ago|reply
First, I assume the author knows the email came from github, as the screenshot does not show this very clearly. If that's the case:
Red flag #1: email links to a variation of real domain. If you don't have information on who github-scanner.com is, it is pretty safe to assume it's a scam , just because it sounds like a real website.
GIANT Enormous Huge Red Flag #2: captcha asks you to types command in shell. I have no comment on how naive one must be to do this.
[+] [-] thephyber|1 year ago|reply
Nobody is perfect. The more features of credibility, most likely there will be a higher percentage of conversions. But not everybody has excellent vision, is not time-pressured, and is not tired/exhausted.
There are lots of conditions that make otherwise difficult fraud targets more easy to trick.
And if it can be done at large scale / automated, then small conversion rates turn into many successful frauds (compromised accounts).
[+] [-] thih9|1 year ago|reply
It's not much different from setting up your ssh key - something that you have to do; and new users also go through this workflow by copy pasting commands that GitHub sends them.
[+] [-] latexr|1 year ago|reply
I wouldn’t have fallen for such an obvious ploy, but the original asker seemed like they weren’t particularly technical, judging by the sparse GitHub history and quality of the question. I could see them perhaps falling for that if they were uncritical and too eager to try anything.
[+] [-] ceejayoz|1 year ago|reply
[+] [-] obscurette|1 year ago|reply
Last month I was in conference where the keynote was from CEO of cyber security company. The whole point of the speech was that we need more money because in some cases more than 80% users still fall into email scams. My very serious question to the speaker was - if after many millions and almost 25 years more than 80% users still click on wrong links, then maybe we do something really wrong?
[+] [-] prmoustache|1 year ago|reply
I guess critical thinking of devs and wannabee devs has been softened by all the `curl <script> | bash` installation instructions.
[+] [-] edelbitter|1 year ago|reply
> curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
(Yup, .rs is the ccTLD for the Republic of Serbia, of former SFR Yugoslavia)
[+] [-] chii|1 year ago|reply
someone who knows computers (like a programmer) might not fall for it, but people who do not know computers, but is dabbling could easily fall for it.
The copied command specifically puts in a "user friendly captcha message" into the end, to overflow the run dialog textbox, so that a user who obeyed the instructions will see something vaguely resembling valid captcha verification:
Phishing and scams are not about catching out pros, but catching out "normies".It's quite scary that the scammers have put thought and effort into the method of infiltration, because this is "novel" as far as i have heard.
[+] [-] mewpmewp2|1 year ago|reply
[+] [-] maicro|1 year ago|reply
Couple that with gmail having no way to show the full email address (by default - I know you can hover, etc.), rather than the sender-provided "sender name", and my false-positive rate for at least double checking and confirming the sending domain is kinda high...better that than a bunch of false-negatives of course.
[+] [-] eviks|1 year ago|reply
It's too common, MS also does this, to be a red flag
[+] [-] Dibby053|1 year ago|reply
Funnily enough there's at least one legit captcha that has you do this: if you have JavaScript/WASM disabled it gives you the option of running the anti-DDOS proof-of-work in a shell and pasting the result in a textbox.
[+] [-] me-vs-cat|1 year ago|reply
You should put a "voice activated" sticker on a random break room appliance (toaster, water/ice dispenser, microwave, coffee machine, ...).
Don't use strong adhesive if your desk is within hearing distance.
[+] [-] antimemetics|1 year ago|reply
The reality is different - they leave these huge red flags so that people who aren’t very bright or careful will fall for it.
That is the same reason why scammers put spelling mistakes in emails - not because they don’t know how to use spellcheck, but because they want to filter out those who would spot these mistakes.
They want to scam careless, gullible, „stupid“ people, not someone who is careful enough to spot security red flags.
[+] [-] godelski|1 year ago|reply
[+] [-] zahlman|1 year ago|reply
Aside from that:
> Nowhere in the email does it say that this is a new issue that has been created, which gives the attacker all the power to establish whatever context they want for this message.
What about the non-user-controlled "(Issue #1)" in the subject line?
[+] [-] Stratoscope|1 year ago|reply
A legitimate GitHub email would never mis-capitalize the company name like that. It would be GitHub, as shown in the footer that the attacker does not control.
OTOH, this is a very common mistake. The article alternates between the correct GitHub and the incorrect Github. So it would be easy to not notice that error.
[+] [-] voytec|1 year ago|reply
Yes. It wouldn't be a thing otherwise. I know at least two fairly intelligent people, one literally being a Mensa member, who fell for sextortion emails and got their files encrypted.
Scareware is based on social engineering, and is crafted to trigger emotional response, not educated one.
[+] [-] sureglymop|1 year ago|reply
So, I wouldn't blame the victims here if the service itself does not realize why that is not such a good idea.
[+] [-] lgats|1 year ago|reply
re #2: it doesn't really have you typing into shell, 'just paste'
[+] [-] veltas|1 year ago|reply
This email came from the real PayPal.com, how they haven't gotten on top of usernames like that is beyond me for a payment processor. I reported it to them but haven't heard anything back, hopefully they banned that account but they should ban all names like that.
This email honestly was formatted to look like a legit PayPal email, I have to imagine that scam will trick a lot of normal people.
Get in touch, see my bio website, if you want the email.
[+] [-] unknown|1 year ago|reply
[deleted]
[+] [-] davidd_1004|1 year ago|reply
[+] [-] dyingkneepad|1 year ago|reply
[+] [-] reportgunner|1 year ago|reply
[+] [-] guappa|1 year ago|reply
[+] [-] akimbostrawman|1 year ago|reply
this is why anything but plain text should be blocked in emails (besides security reasons). anybody with 5 minutes of HTML experience can create "legit looking" emails.
[+] [-] keyle|1 year ago|reply
I could see junior developers falling for this. Hey it's Github, it's legit right? We get security notifications every second months about some lib everyone uses etc.
I don't think webpages should be able to fill your copy/paste buffer from a click without a content preview. They made it requiring a user action, such as clicking, thinking that would solve the problem but it's still too weak. That's problem number 1.People need to stop actioning any links from emails and/or believing that any content in an email has legitimacy. It doesn't. That's problem number 2.
Problem number 3, Windows still let you root a machine by 1 line in powershell? What the @$$%&%&#$?
Github might need to stop people putting links in issues without being checked by automated services that can validate the content as remotely legitimate. They're sending this stuff to people's email, don't tell me they're not aware this could be used for fishing! That's cyber security 101, in 2015.
Finally, Github, in being unable to act on the above, may need to better strip what they email to people, and essentially behave more like banks "you have a new issue in this repository..." and that's that. You then go there, there is no message, ok great. That would have taken care of this issue...
It seems Github needs to graduate a bit here.
[+] [-] johnklos|1 year ago|reply
So is github-scanner.com (and github-scanner.shop) still the same malicious party? It seems to be. Funny that their DNS is hosted by Cloudflare (who, famously, don't host anything, because they think we're all dumb). Cloudflare, who take responsibility for nothing, has no way to report this kind of abuse to them.
The domain which hosts the malware, 2x.si, both uses Cloudflare for DNS and is hosted by Cloudflare. At least it's possible to report this to Cloudflare, even though they rate limit humans and have CAPTCHAs on their abuse reporting forms.
Sigh. Thanks to Cloudflare, it's trivial these days to host phishing and malware.
[+] [-] elashri|1 year ago|reply
I realized I have never deleted an issue I started but doesn't people with admin access the only with ability to delete the issues on a repo? [1]. So actually there is a trace for that issue in the repository. Same thing for Pull requests.
[1] https://docs.github.com/en/issues/tracking-your-work-with-is...
[+] [-] Thomashuet|1 year ago|reply
[+] [-] kyledrake|1 year ago|reply
[+] [-] qwertox|1 year ago|reply
Easy to be suspicious with the link alone, but its fun to see someone digging into it.
[+] [-] jonathanlydall|1 year ago|reply
Try this, I think it will fix your issue (install GCC if you need a compiler): (Bitly link redirecting to zip file on mediafire) Pass: (something)
GitHub processed my abuse report within an hour and removed all posts by that user.
[+] [-] xwall|1 year ago|reply
[+] [-] romantomjak|1 year ago|reply
[1] https://docs.github.com/en/code-security/dependabot/dependab...
[+] [-] cebu_blue|1 year ago|reply
[+] [-] slig|1 year ago|reply
I got dozens of such spam during a whole day.
[+] [-] rnts08|1 year ago|reply
This is almost as easy as it was to call someone and asking them for the number of the modem on their desk and their logins back in the bad old days.
Considering the target platform I'm not overly surprised though.
[+] [-] jonny_eh|1 year ago|reply
[+] [-] halostatue|1 year ago|reply
[+] [-] ezekiel68|1 year ago|reply
[+] [-] mfi|1 year ago|reply
[+] [-] t_believ-er873|1 year ago|reply
[+] [-] crvdgc|1 year ago|reply
Maybe devs' target value in general has growing to a point where the openness of the system is more of a vulnerability than service.
[+] [-] latexr|1 year ago|reply
Might want to change the image too, macOS recognises the link in that and makes it clickable. I’d say that’s more dangerous than modifying it in the text of the post, you could just as well include a non-clickable text link.
[+] [-] unknown|1 year ago|reply
[deleted]