【Hacker News搬运】GitHub通知电子邮件被劫持以发送恶意软件

hackernews

Title: GitHub Notification Emails Hijacked to Send Malware

GitHub通知电子邮件被劫持以发送恶意软件

Text:

hn link

Url: https://ianspence.com/blog/2024-09/github-email-hijack/

很抱歉，作为一个AI，我无法直接访问外部网站或其内容，包括您提供的链接。因此，我无法阅读或分析该网页上的内容。

不过，如果您能够提供该网页的内容概要或者您希望我分析的具体内容，我可以帮助您进行总结或者提供翻译服务。请提供相关的文本信息，我将尽力协助您。

Post by: crtasm

Comments:

johnklos: Can be summarized with: Don't click on links in email.<p>So is github-scanner.com (and github-scanner.shop) still the same malicious party? It seems to be. Funny that their DNS is hosted by Cloudflare (who, famously, don't host anything, because they think we're all dumb). Cloudflare, who take responsibility for nothing, has no way to report this kind of abuse to them.<p>The domain which hosts the malware, 2x.si, both uses Cloudflare for DNS and is hosted by Cloudflare. At least it's possible to report this to Cloudflare, even though they rate limit humans and have CAPTCHAs on their abuse reporting forms.<p>Sigh. Thanks to Cloudflare, it's trivial these days to host phishing and malware.

johnklos: 可以总结为：Don；不要点击电子邮件中的链接<p> 那么，github scanner.com（和github scanner shop）仍然是同一个恶意方吗？似乎是这样。有趣的是，他们的DNS是由Cloudflare托管的（众所周知，Cloudflare不托管任何东西，因为他们认为我们都很愚蠢）。Cloudflare不承担任何责任，无法向他们报告这种滥用行为<p> 托管恶意软件2x.si的域既使用Cloudflare进行DNS，也由Cloudflare托管。至少它；我们可以向Cloudflare报告这一情况，尽管他们对人类进行了评分限制，并且在滥用报告表上有验证码<p> 叹气。多亏了Cloudflare，它；如今，托管网络钓鱼和恶意软件变得微不足道。

theamk: Do people really fall for scam like that?<p>First, I assume the author knows the email came from github, as the screenshot does not show this very clearly. If that's the case:<p>Red flag #1: email links to a variation of real domain. If you don't have information on who github-scanner.com is, it is pretty safe to assume it's a scam , just because it sounds like a real website.<p>GIANT Enormous Huge Red Flag #2: captcha asks you to types command in shell. I have no comment on how naive one must be to do this.

theamk: 人们真的会上当受骗吗<p> 首先，我假设作者知道这封电子邮件来自github，因为截图并没有很清楚地显示出来。如果是这样；例如：危险信号1：电子邮件链接到真实域名的变体。如果你不这样做；没有关于github-scanner.com是谁的信息，可以相当安全地假设它；这是一个骗局，只是因为它听起来像一个真实的网站<p> 巨大的红旗#2：验证码要求您在shell中键入命令。我无法评论一个人这样做有多天真。

keyle: <p><pre><code> Press Win+R, CTRL+V <enter>
</code></pre>
From captcha to gotcha.<p>I could see junior developers falling for this. Hey it's Github, it's legit right? We get security notifications every second months about some lib everyone uses etc.<p><pre><code> "Oh look, captcha by running code, how neat!"
</code></pre>
I don't think webpages should be able to fill your copy/paste buffer from a click without a content preview. They made it requiring a user action, such as clicking, thinking that would solve the problem but it's still too weak. That's problem number 1.<p>People need to stop actioning any links from emails and/or believing that any content in an email has legitimacy. It doesn't. That's problem number 2.<p>Problem number 3, Windows still let you root a machine by 1 line in powershell? What the @$$%&%&#$?<p>Github might need to stop people putting links in issues without being checked by automated services that can validate the content as remotely legitimate. They're sending this stuff to people's email, don't tell me they're not aware this could be used for fishing! That's cyber security 101, in 2015.<p>Finally, Github, in being unable to act on the above, may need to better strip what they email to people, and essentially behave more like banks "you have a new issue in this repository..." and that's that. You then go there, there is no message, ok great. That would have taken care of this issue...<p>It seems Github needs to graduate a bit here.

keyle: <p><pre><code>按Win+R、CTRL+V&lt；输入&gt；</code></pre>从验证码到gotcha<p> 我可以看到初级开发人员会爱上这一点。嘿，它；在Github上，它；这合法吗？我们每隔两个月就会收到关于每个人都使用的一些库的安全通知。<p><pre><code>“；哦，看，验证码通过运行代码，多么整洁&“；</code></pre>我不知道；我不认为网页应该能够填满你的副本；在没有内容预览的情况下单击粘贴缓冲区。他们认为这需要用户操作，例如点击，这可以解决问题，但事实并非如此；它还是太弱了。那；问题1。<p>人们需要停止操作电子邮件中的任何链接；或者认为电子邮件中的任何内容都具有合法性。它没有；t.那；问题2。<p>问题3，Windows仍然允许您在powershell中按1行对计算机进行root？什么是@$$%&amp；%&amp；#$<p> Github可能需要阻止人们在没有经过自动服务检查的情况下将链接放入问题中，这些服务可以验证内容是否远程合法。他们；将此内容重新发送给他人；s电子邮件，don；不要告诉我他们；我们不知道这可以用来钓鱼！那；<p>最后，由于无法采取上述行动，Github可能需要更好地剥离他们向人们发送的电子邮件，本质上表现得更像银行；此存储库中有一个新问题&“；并且；就是这样。然后你去那里，没有消息，好吧，太好了。这本来可以解决这个问题的<p> Github似乎需要在这里毕业。

elashri: > The attacker quickly deletes the issue<p>I realized I have never deleted an issue I started but doesn't people with admin access the only with ability to delete the issues on a repo? [1]. So actually there is a trace for that issue in the repository. Same thing for Pull requests.<p>[1] <a href="https://docs.github.com/en/issues/tracking-your-work-with-issues/deleting-an-issue" rel="nofollow">https://docs.github.com/en/issues/tracking-your-work-with-is...</a>

elashri: &gt；攻击者迅速删除了问题<p>我意识到我从未删除过我开始但没有删除的问题；难道只有具有管理员权限的人才能删除仓库中的问题吗？1.因此，实际上存储库中存在该问题的痕迹。Pull请求也是如此<p> [1]<a href=“https:&#x2F；docs.github.com/ en&#x2F-issues 跟踪您的工作，并删除问题”rel=“nofollow”>https:&#x2F；docs.github.com；en■；问题；跟踪你的工作是</a>

dabbz: I've also been seeing Typeform emails coming from spam sources. Somehow people are using Typeform's positive reputation score to send emails to arbitrary emails.

dabbz: 我；我也看到来自垃圾邮件来源的Typeform电子邮件。不知何故，人们正在使用Typeform；向任意电子邮件发送电子邮件的积极声誉评分。