Feels like just adding a direct "don't send as paypal, apple etc" rules would probably work though.
https://www.fortinet.com/blog/threat-research/phish-free-pay...
If you aren't in control... just ignore it like any other spam mail.
Funny enough if I stayed at Google another year I would have been lucky enough to fix it myself and make an actually decent spam blocker.
The To: header _is_ part of the signed material so will list the original recipient not the victim — but the attacker sets the recipient name/address to something misleading like “Order Received” to obscure this, and sets the store name to some long text that will be misleading when templated into the PayPal invoice request mail text.
PayPal have long had a problem with failing to make untrusted supplied text clear in their communications, but this is an unusually convincing attack.
I don't know why they always use (compromised?) onmicrosoft subdomains in particular. In the samples I've seen they're getting an SPF softfail so it doesn't seem MS's relays are passing SPF for paypal (sendgrid's might...)
Microsoft obviously isn't "forging" it. It's valid: https://labs.guard.io/echospoofing-a-massive-phishing-campai...
1: https://media.ccc.de/v/37c3-11782-smtp_smuggling_spoofing_e-...
> This is still coming. The work is being completed now and we will be able to expose it in a few months.
I'm glad the official response has no date associated, so you won't know whether they published that yesterday of 8 years ago.
> Sounds like deleting a VM in Azure is as tedious as trying to manage resources in a complex role-playing game—one wrong step, and you’re stuck dealing with frustrating dependencies! If you’re tired of that kind of hassle, maybe it’s time to switch things up with Download SpinRP. Instead of deleting VMs in the right order, you can dive into an immersive world where strategy and excitement go hand in hand. Why deal with a “big fat pink error” when you could be making big moves in SpinRP instead?
<acknowlege and describe post you're replying to, use at least one "—"> <shill> <shill + acknowledge>
How hard could it be to add "add a few grammatical and spelling mistakes. Use no emojis. Reply like someone on instagram" or something to the system prompt? I shouldn't give them ideas, but come on, that's low hanging fruit.
Cherry on top: you used to pay to have an MSDN membership and access this wonderful community.
To be fair though, the early MSDN was really good, and in a distant past MVP was a real achievement (say early 2000s). Now it's a weird mix real issues and "my printer blinks red, how to fix?"
I don't think anyone reads MSDN at Microsoft anymore, it's a deadland, but I guess they generate some metrics of user engagement and product feedback from there.
This was subsumed into answers.microsoft.com and it's turned into a few of those original "good with computers" retirees spending all day answering from within their own knowledge, now overwhelmed by countless individuals with names or flavors of English suggesting emerging economic zones "answering" everything with copy paste non-responsive responses.
If the asker persists through enough (5 - 8?) turns until the copy paster grasps that they don't understand the problem, then it turns into (paraphrasing) "no clue, I'm not real but was just trying to help, try Microsoft support".
This is so consistent, I wonder what is driving it. They seem to try to look official, but eventually say they are not actually Microsoft, and punt. What is this accomplishing? Why are they spending all this time? Is it some kind of training exercise or on-ramp to support jobs? Inquiring minds want to know!
Microsoft has a cert called "Most Valuable Professional" that gives out a ton of free stuff (free MSDN subscription, free admission to a conference that gives away hardware, etc). It also probably looks good on your resume to hiring managers who don't know any better. Renewing the cert involves doing "community work", and the easiest way to do community work is to post a lot on Microsoft's forums. Microsoft doesn't care about the quality of the posts, or whether they solve the problem, solely about the number. This is why whenever you look up a Windows issue and go to Microsoft's forums, you always see people posting the same copy-pasted "Hi, I'm a Microsoft community expert who has been providing independent Windows advice for the past 10 years. blah blah blah Have you tried running sfc /scannow?" response to every single problem.
Ah yeah, this is exactly what I was referring to!
> If the asker persists through enough (5 - 8?) turns until the copy paster grasps that they don't understand the problem, then it turns into (paraphrasing) "no clue, I'm not real but was just trying to help, try Microsoft support".
Yes! And if you are doing anything even slightly out of their grasp that requires doing something 'different', they assume you are doing something wrong or messing with stuff you shouldn't be, e.g. "You shouldn't be touching the registry" - ugh.
> This is so consistent, I wonder what is driving it. They seem to try to look official, but eventually say they are not actually Microsoft, and punt. What is this accomplishing? Why are they spending all this time? Is it some kind of training exercise or on-ramp to support jobs? Inquiring minds want to know!
I think it really is just older people who 'like' computers but never learned that much about them. They found a zone where they can mostly be helpful to people who know a little less then them, which is fine, but they don't understand maybe they should not try and solve every problem.
That kind of ridiculousness is way more common than you think. These people shouldn't be allowed to vote let alone try to assist in solving even remotely complex IT problems.
lol, I remember that but I forgot all about that until I saw your comment. Man that late 90s early 2000s internet was something else.
"We only sell the shovels, we don't use them, we don't think we have any holes needing dug."
> Sounds like deleting a VM in Azure is as tedious as trying to manage resources in a complex role-playing game—one wrong step, and you’re stuck dealing with frustrating dependencies! If you’re tired of that kind of hassle, maybe it’s time to switch things up with Download SpinRP. Instead of deleting VMs in the right order, you can dive into an immersive world where strategy and excitement go hand in hand. Why deal with a “big fat pink error” when you could be making big moves in SpinRP instead?
I’ve found Discord to be responsive to abuse complaints in the past. If someone wrote a simple script to download these repos and extract the Discord webhook links I bet you could get Discord to shut down their accounts.
In my past experience Discord was aggressive about this, going so far as to ban the accounts of people who had participated on those servers with clearly illegal purposes. They’ll come back and make new accounts again, of course, but having them lose all of their connected servers, history, and requiring them to update every single one of their malware drops should slow them down considerably.
The responsible thing would be also to release all related data, icluding personal information (IP adresses, emails, list of contacts, chat logs) to investigation (police, etc)
I don’t get visibility into internal Discord operations, though. We just see that the perpetrators lost both their Discord server and their accounts disappeared from other Discords they were in. They angrily returned later with new usernames.
Why are you sure? I really doubt it.
Such mechanisms should and will improve with time.
If a countly doesn't provide legal support against scammers, then the requesting country can reciprocate - declare green light for scammers agains the refusing country.
there's a large variety of malware, they don't all phone home the same way and they don't all phone home to discord
I’m not saying every malware uses Discord. I’m talking about the article.
The article is about using scripts to identify and download the malware. They identified over 1000 matching repos, which would contain Discord webhooks in the script.
Scanning and identifying has already been done. That’s literally what the article is about.
It’s right in the second paragraph:
> As soon as you download and launch any of these, all the data from your computer is collected and sent to some discord server
why don't we just send bad people to jail?
From the article:
> The "trust" value, when base64-decoded, turns out to be a discord webhook link: myhook = 'https://discord.com/api/webhooks/1050437982584324138/VJByvmB...'
Collect all the scripts matching the template. Extract the “trust” variable. Decode base64. Send to Discord with proof of how it was obtained.
Discord then identifies the Discords matching those webhooks.
It’s not some hard static analysis problem. These are python scripts with a base64 encoded variable. I don’t understand why you’re making it out to be something other than what the article says.
if it was that simple it would be a solved problem. i encourage you to give it a shot
No, the article is specifically about 1115 malware repos built from the same template
This is taken from the intro of the article:
> Wrote a script that helped me find 1115 repositories built based on the instructions from the guide.
I don’t know what you think you’re talking about, but you’re not talking about the article that I’m talking about.
The template repo is here: https://github.com/Jalynn0922/steal-cook
It contains the main.py script that the article is talking about.
Discord is free and easy. The notification pops up right where they’re already chatting with each other for 16 hours every single day.
Renting a VPS and writing custom software to accept a POST request requires a credit card, programming skill, and time.
This trains people that do a lot of piracy to be used to turning off their antivirus to let something through, which is fine until it's not. It's like drugs, if we know a subset of the population will do them no matter what, we should make it safe for them to the extent we can. False positives, causing people to ignore actual positives, creates a market for these things.
You also need to look at the bigger picture: Keygens are something you very much do not want anywhere in a corporate environment for obvious reasons. Being able to flag them on Windows machines is very valuable.
There's something seriously wrong with A/V heuristics.
It’s extremely annoying. It’s my code, stop deleting it. It’s not malware.
Serious question. The repos aren't themselves doing harm, are valuable for research, and would be distributed some other way if GH removed them. Maybe a banner “be careful! others have reported that this repo may not do what it claims. proceed with caution” would be a more appropriate response?
Yes they are. Did you read the part about the people doing this and getting 50-100 compromised computers per day? They’re stealing accounts and crypto with these.
> are valuable for research,
Research into how they’re harming people? The research is done. Time to move to fixing it.
> and would be distributed some other way if GH removed them.
This is like saying we shouldn’t wear seatbelts because some people will still die in car crashes anyway.
You don’t avoid improving a situation just because you can’t perfectly fix it globally. You address what you can and reduce the problem.
It’s on GitHub for visibility and credibility to victims.
If it moves somewhere else where victims can find it, the researchers can find it too.
So, sounds like the Github team should take some action here.
Yes they are. They are being used as delivery mechanism for malware.
Yes they are, they're distributing malware
> are valuable for research
Marginally, at best
> and would be distributed some other way if GH removed them
Another way that wasn't so well SEO-optimized and didn't carry the Github halo.
Maybe? But definitely to less people? I don't see the argument for allowing them.
For anyone interested, the Wikipedia article might give an overview (only available in German right now): https://de.wikipedia.org/wiki/Vorbereiten_des_Aussp%C3%A4hen...
If you argued that it was clearly labeled as malware for educational purposes, that seems fine. It was distributed, but then distribution is allowed. But this is very clearly not the case here.
personally if i post such things i will either ensure it has detections everywhere or somehow neuter it. usually for research you dont really need to have fully functioning malware. just enough to prove some question. so despite posting sources of malware being ok, and it being available in lots of places, i do think, especially for advanced things, its better not to contribute it freely... but to each their own. i'd advise strongly against just outright posting functional cyber weapons, not because its illegal, but simply because its really not needed. there is more bad potential than positive use compared to broken or incomplete versions.
Just curl -X DELETE https://discord.com/api/webhooks/[...]
In other cases you may need additional headers to authenticate, but if the script you've found contains the URL, it probably also contains the auth header too.
All you do is send a DELETE request to the URL.
curl -X DELETE https://discord.com/api/webhooks/1050437982584324138/VJByvmBKESSUv4fYn0LIjlBR4VzMRTEPOKVJoWFvCeHd7o3LtclQMJDMuiLzT57iqn7B
{"message": "Unknown Webhook", "code": 10015}If I download and install a mod for minecraft, it should never have access to anything on my computer, except for the minecraft game files itself. If I open a spreadsheet in Excel, the excel process should have access only to that file and it's own config files.
Something similar to how android works, were the app has to explicitly ask the user to access their files.
Yes, qubes is harder, but it's also very niche, barely supported, and difficult to use.
There's really a lot of middle ground "any application can do whatever on your system as the user running it" and "any application runs in a separate OS with no rights and just 120 lines of hardened hypervisor code in common.
So ya, you've just broken a thousand enterprise application and integrations.
I also deleted files on the file sharing websites, such as mediafire and mega.
My abuse emails followed the clear and understandable email template: your service is hosting malware, here's the link, it's password protected and the password is X, here are virustotal results, here's the original repo which it impersonates, and I want you to delete it.
When searching for it I found multiple, some had download from github repos. None was looking trustworthy enough, so I didnt download any. But I hesitated a little.
From how they looked, I think now that was the kind of malware the author describes.
Waiting six months for Github to remove malicious repositories is unacceptable.
Also, I am seeing firsthand that AI is not good at detecting this stuff. Claude's main problem in a code review of one of its descendants was the unethical use of an aim-bot.
edit: to clarify, my concern is about how this can exist on Github for 3 years. Thank you for compiling this and sharing your review. Great work.
Like everything else, you shouldn't blindly search on github - or any other download site.
Only download from links referred from the official site if there's any, or the game's forum, or any other trustable and human reviewed source.
https://forums.beamdog.com/discussion/87952/icewind-dale-2-e...
There is no official Enhanced Edition for IWD2 and there will never be because the source code is lost.
This is a fan made mod that patches the original binaries in memory to add stuff like wide screen support etc. And it triggers your anti virus because of that.
It's perfectly fine as long as you download it from the official sources.
I don't know why anyone running one of these schemes to distribute malware would even enable the issues tab on github, let alone not delete every issue posted containing keywords like malware, trojan, virus, etc. with a script.
Are hidden until approved issues not supported on github? Is this caused by some limitation of creating these repos programmatically?
They don’t care about people who know enough to check the issues. They’re fishing for the people who blindly download and run things, not who look under the hood.
Is that saying it creates a sqlite database? I kind of doubt it. I think more likely is it uses sqlite to read from existing sqlite databases that exist on disk, to steal data from them.
Better to have an attitude that Github is malware and a healthy skepticism of any repo?
Some honeypot scheme or social engeneering against them.
Ideas?
Microsoft is alright in my book. Let GitHub be free.
Maybe could stop people from being able to git pull them without a confirmation, but deleting does not make sense
I guess the problem is that only helps those who already know they need to watch out for this sort of thing, not the users most likely to be pwned.
Response times can very from hours to what feels like months, and they rarely handle reports based on patterns of abuse.
3 years unfortunately
This one has been up for two years: https://github.com/Aker490/Steal-Cookie-Roblox
It would be good to hear an official response from GitHub on where the boundaries are, since it seems like there's plenty of examples of clearly malicious repos hosted for years.
Who is on microsoft github? The article is about malware distributors using github to distribute malware. Are you suggesting that malware authors should avoid github because it's not noscript friendly? Malware authors care about how to distribute the most malware, not about whether their distribution site is noscript friendly.
Drop microsoft github and move there or similar.
But the best is to host yourself.
But careful, you are going against big tech interests, expect their shadow-paid hackers to attack you and any real-life alternative you use.