Maybe the wrong place for a newbie question, but here goes.
IF I am running up-to-date versions of Windows and Chrome, and I click on this link, is it game over? Or do I get another chance to refuse installation of whatever malware is in the payload?
Thanks. That is somewhat reassuring. The likelihood of my doing something stupid/oblivious is higher than it should be, but the likelihood of being stupid twice in a row is quite a bit lower.
I imagine the likelihood of making incorrect decisions twice in a row is higher in some contexts, though. For example, if you click a button that says it will download a Flash update from some random website, I'm guessing there is a good chance you will then run it afterward.
It is not an exe. But even without UAC, there is another layer of warnings that has been there since XP SP2 for unsafe file types downloaded from the Internet.
Huh, I never thought about that mainly being protection against the use-case of not realising you downloaded/opened an executable, which is actually quite realistic for the slightly less computer-confident. That makes it a much more acceptable feature.
> I got a notification on Facebook: "(a friend of mine) mentioned you in a comment". However, when I clicked it, Firefox tried to download the following file:
I interpret that as it started downloading when clicking the notification but the picked answer suggests otherwise.
* Disclosure: I used to work for Facebook's security team and focused on threats that impacted users on the platform. *
The post outlines in some detail a common attack done by some actors known as BePush/Killim. I made a request for help in fighting these clowns months ago on a private security working group. Here's the post below which outlines a good amount of detail about the hacks and motives. If you are interested in tracking these actors yourself, it's pretty easy once you find one of their command and control servers.
From there, we can see the actors are using Cloudflare to obfuscate their infrastructure, but we can make a pivot based on the WhosAmongUs IDs (dsafagegg2 [1] and dsafagegg [2]) in order to find more websites owned by these guys. It's a rats nest that extends to hundreds of domains registered weekly. Servers are typically hosted in places where legal action is difficult meaning the attacks seldom stop or go down completely.
As promised, below is a quick high-level summary of the malware outlined in the subject. We've been dealing with the malware for months and while some would call is spam, we consider it malware simply because any of the executables or Chrome extensions could be changed to steal passwords, credit cards or every document off a system. We welcome any help in dealing with these actors and would also be interested in new ways to combat malicious extensions, both Chrome and Firefox as those are only increasing in usage.
If you would like more information on the technical details of the binaries, extensions or other loaders, feel free to shoot me a message. If there's enough interest, I will just spam the list, but would prefer to keep this to the higher level points, so others gain a better understanding of the threat.
-= Summary =-
BePush is a set of Turkish-based actors who use innovative techniques to spread malicious code and spam through social networking sites and ad-based networks. Those involved in the development of BePush malware are constantly adjusting their TTPs to account for changes in detection or disruption. Actors favor multiple levels of obfuscation through the use of short-url redirectors, third-party hosting providers and multi-stage payloads. Despite high infection rates, local law enforcement has yet to take an interest in pursuing those actors involved.
-= Infection Process =-
Based on our logs, primary infection processes tend to occur through direct traffic, followed by Facebook and various ad providers. Shortened URL links are shared among users which typically traverse through a series of redirects to a landing page mimicking Facebook infrastructure and using porn as a lure to install a plug-in. Depending on the attacker behavior, payloads may be delivered in the form of a Google Chrome extension (hosted within the store) or through an executable (likely AutoHotkey, but could be Pyinstaller based) that later replaces Chrome with a version of Chromium with their malicious extension.
Once installed, malicious code will make use of the Facebook Graph API in order to make requests/posts on behalf of the infected user using a stolen access token. In order to establish a high infection count, the malicious code will often create pages with malicious links, post statuses/comments to the user's friends and spam within certain application pages. Once the spreading routine completes, the process generally begins again with the infected user's friends.
-= Motives and Capabilities =-
It appears the primary motivation for the BePush actors is the money gained through the sale of Facebook likes, followers or various ad-network and affiliate partners. In some cases, Facebook observed BePush actors including a bundled bitcoin miner, but it never appeared to gain much popularity.
From a capabilities perspective, actors involved with BePush appear to pay attention to how their code is detected. When numbers begin to dwindle, changes to the code or 3rd-party providers are made. Actors demonstrate a level of understanding in .Net programming, Python, JavaScript and techniques used to detect spam. We have also observed the actors repurposing browser exploits, but we never saw these used against users.
-= Third-Party Provider Usage =-
BePush favors the use of free and open infrastructure in order to keep their campaigns alive long enough to get a strong infection foothold. The following providers have been observed in some capacity:
- Amazon AWS - Used for hosting content
- Dropbox - Used to host binaries
- Box.com (http://box.com/) - Used to host binaries
- Bitly - Used for redirection
- Tinyurl - Used for redirection
- Godaddy - Used for redirection
- WhosAmungUs - Used for campaign tracking
- Stellar - Used for bitcoin wallet hosting
- Imgur - Used for redirection
- Dot.tk - Used for redirection
- Google - Used for redirection, Chrome extensions and binary hosting
- CloudFlare - Used to obfuscate real infrastructure
- Microsoft Azure - Used to host binaries
-= Detection and Research =-
BePush has a limited set of providers they prefer to use and through industry relationships, we have been able to put pressure on the attackers. Here are a couple items we noticed when doing disruption work that helped in making a larger impact against the group.
Using passive DNS data to identify other domains sitting on the same IP address (these guys don't use a lot of unique servers)
Use ESET (Facebook) or Microsoft (Kilim) AV signatures to identify new binaries being used
Polling whos.amung.us (http://whos.amung.us/) tracking pixels in order to identify/gauge recent campaigns
Reaching out to 3rd-parties with domain and hash combination for takedown
Thanks for the info. Technically speaking, posting a link on Facebook and tagging a friend to it seems impossible, unless some manipulation or a flaw was presented. Can you confirm or not that Facebook is somehow vulnerable to tagging to links (not posts)
That was a badly rewritten title, and we've restored the original. (Edit: never mind–the rewrite was at the host end.)
Submitters: please use the original title unless it is misleading or linkbait. That's in the site guidelines (https://news.ycombinator.com/newsguidelines.html). Making a title more misleading and linkbait is the wrong direction!
(Submitted title was 'Facebook tricked me into downloading an obfuscated script'.)
I treat any attempt to download like an attempt to call my phone, or ring my doorbell when I'm not expecting someone. Instant suspicion which is, 99% of the time, unfounded. Still, I've never had to deal with the Jehovah's Witnesses.
I engage Jehovah's Witnesses, but not in the dick way that capital A Atheists might (I'm a small a atheist). I try to learn what they're about. They're generally nice people.
Yes. I have so much appreciation for their contributions to civil liberties. Yes, we should have a right to not say the pledge of allegiance. No, I won't exercise that right but it is seriously stupid to say we have a "right" to do something if we don't have a right to not do it.
If we have to get up and pray, we do not have freedom to pray. People who refuse to stand up to pray at the beginning of a rodeo are people we have to be grateful for.
The house I bought last year came with a cheesy "No Solicitation" sign stuck to the screen door near the handle. I've wanted to remove it, but laziness and the fact that it has some utility has kept it in place.
Oddly, Jehovah's Witnesses have been the only people to ignore it. I've watched Mormons walk up and turn away, though.
Or, invite them in, and (politely) try to pitch a conversion to atheism. I usually get sooo close, then you see that programming snap back into place (you'll see their expression change to one of terror), and they suddenly have to leave really fast.
Mormons are more fun for this, but Jehovah's Witnesses are a laugh riot.
I haven't seen enough of the universe to feel confident that I'm correct in my atheism, and I haven't felt the hand of Nothing touch my heart and send me out to evangelize It.
Would you like a phrase to quickly and easily describe that state of being?
Apatheistic Agnostic. You're not concerned with the issue, it's too big and universal and we're too human. You're not convinced of anything, and frankly, since whatever does or doesn't come after this is inevitable and inescapable, what's the point of endless debate during our finite lives?
Who knows?... and who could even know? No one, that's who.
Actually I call myself an apathist among my friends. I don't care if there's a god, but if there is one, I doubt if it cares about me, and I doubt that it cares whether I believe in it or not.
How does this fit with the assertion that there is no evidence that the supernatural interacts with the natural in any measurable (and hence meaningful) way?
It seems related, but stronger:
"I don't know if there exists supernatural, however I have no reason to believe the supernatural will ever effect me."
You sort of have to come to that conclusion before you start down the apatheist road, I think. After all, any supernatural force that can predictably alter your world is going to rapidly become your god.
Perhaps I'm being unnecessarily charitable in my interpretation of what a3n said, but I gathered from the differentiation between "capital A" atheists and lowercase a atheists as a subtle distinction between individuals who evangelize their beliefs and those who don't.
Yeah, pretty much. I get real embarrassed when Atheists make fun of people for santa clause in the sky and such. Let people believe what they want, it's a hard universe.
I wish more people shared your outlook. Judging by some of the other comments here, in addition to the reply you received, I think we could all learn something from you!
> Atheists frequently evangelize. It is a religious belief.
They evangelize, but its more of ideology that concerns religion rather than just a belief. The main problem with atheism is the definition: absence of religion, this is such a derogatory word as if believing in deities should be the norm. Agnostic is even worse seat: declaring that you have no clue but probably are somewhat spiritual. If you don't like religion say proudly that you are antitheist!
Calling atheism a religious belief is as disingenuous as describing science as a religion.
It is possible to be religious in your science-based beliefs, but that does not make science itself a religion. If someone believes something only because "scientists" said so then they share many of the qualities of religions. I would shy away from calling even this a religion, however, as these people are willing to change their belief if the scientific consensus changes.
Furthermore, merely evangelising is not enough to make something a religious belief and it would be an abuse of the language to conflate them in that way. It is completely reasonable to evangelise scientific ideas, and it would be wrong to label that act as a religious one.
Atheism is not science, but it shares a common tenet; both atheists and scientists are willing to change their belief if shown appropriate evidence. Atheists can evangelise for many reasons, but those reasons need not be religious. For example, atheists may believe that religious teachings promote the worst aspects of tribalism and actively harm our society. An atheist can evangelise that the argument "My god is better than your god" is a pointless source of discontent in the world, and want to remove the source of that discontent, without being religious.
Of course, there will be people who shout "you're wrong because SCIENCE!!" but the religious nature of those people doesn't magically transfer to the beliefs they hold simply because they hold them.
> Atheists frequently evangelize. It is a religious belief.
It isn't, and it's insulting to say so: You're imposing a category on people based on deliberately misunderstanding their worldview. Atheists say their lack of belief isn't a belief, and saying otherwise is insulting.
I'm assuming that by capital A, versus lowercase a; atheists, you are trying to underscore the differences between people who understand that religion is a hoax but it doesn't affect me right now so I'll let it pass, and those who have been directly affected by religion and it's evils and see no other way but to fight it as hard as they push it?
I will try to explain why this is bad:
engaging the mentally ill in their delusions is not only mean (you don't believe their crazy stories, so why listen to them?) it's bad for society as a whole, because this is a untreated mental illness that is totally treatable and it's being spread because people refuse to treat it as a mental illness and instead say, believe what you want.
why is it bad to allow the masses to remain ignorant?
you (hopefully) wouldn't teach your children that the world is flat, because you were educated against such teachings.
you wouldn't teach a medical student about the human body without allowing them to learn about the human body by cutting it open and studying it.
you wouldn't let your neighbor spray your yard with ddt (hopefully) because a higher being told him it was safe.
you wouldn't take advice from someone on the Internet without first researching the topic (we all do)
yet we'll freely entertain the insanity of religion because why?
so many people believe it?
we all thought the world was flat, the human body was designed by God and shouldn't be examined, sprayed ddt right in our children's faces, and still take advice from strangers on the Internet without doing research because, we're sheep (hanlons razor).
it's all stupidity, and fear. we're all alone, there is no guidebook and we're so painfully self aware.
when you have No explanation, any explanation seems possible.
the world is not flat, but knowing we knew, was comforting.
anyways, what was I trying to get at?
don't let them in.
keep them very far away from you.
if you want to help change the world, be proactive.
openly challenge religious beliefs any time they are presented.
it could get you killed. it will get you beaten.
but we all have a duty to further the human species, and putting us second to imaginary beings is not exactly the way to go about it IMO.
It's not a mental illness to have faith in something. Faith is a normal part of being human. Even atheists have faith: Faith in their own belief that there are no gods or other supernatural beings. They don't have empirical evidence that there are no higher beings, just as religious types don't have empirical evidence that such beings exist. On a smaller scale, one can have faith in one's own abilities or those of the people around them. Once again, not a mental illness.
Now, I'll concede that religion is a manmade concept, usually a way for those who seek power over others to achieve it. But faith and religion are two completely different things. There are those who believe in a higher power (God? Gods? Spirits? Aliens? Cthulhu?) who are anti-religion, just as there are those who have no true faith in a higher power but use religion to further an agenda (militant extremists and terrorists come to mind, both foreign and domestic).
To put it another way, religion is an institution, faith is human nature. You have faith in the words you wrote; does that make you mentally ill? No, of course not, you just come off as having a huge chip on your shoulder and a predisposition for painting everyone in a billions-strong group with the same brush.
But that's a typical human flaw, not a documented mental illness.
while I agree I think faith is a bit more than just human nature, I think it's a mechanism developed over centuries to deal with the unknown while our minds continued to expand to understand the unknown.
I think of it as a bug, maybe a little hack that was put in to deal with situations that defy explanation. it helps us come up with explanations, it has a function to deal with unexplained events without loosing our mental model of the world.
faith is like a shim, there is a piece of a mental model that doesn't exist and doesn't fit with your platform, so faith exists as a way into shim that difference into your code base.
religion is code that takes advantage of the shim. however religion is a virus and it takes over your other mental faculties, weakening them. introducing functions that make no sense, but will continue to run until your mind finds a place for them.
there are several ways to take advantage of the faith bug but you can see patterns for different types of systems that use faith hooks to make calls to your reason centers and overrides their output. the more these calls override the reason centers the less they are used.
now the point at which the faith bug is the most susceptible to being utilized is during the brains formative years, and this tactic is used incredibly frequently.
so I see and agree with your point that religion is an institution and faith is a function of humanity, but faith is a bug that can be patched and I also would argue that faith is too broad a term for the reasoning functionality of the brain.
faith is a good word to use when we lack the proper terms, but personal and religious faith are a small subset of the entire faith function and I think it needs to be broken up into its requisite parts.
and maybe the overall function that applies to religion in context to faith is world-model_update(previous_model, new_viewpoint, contextual_conviction/external_conviction) and It seems to me that there is early injection malware in religious code and buffer overflow tricks when you can't get the early injection code to work.
> I'm assuming that by capital A, versus lowercase a; atheists, you are trying to underscore the differences between people who understand that religion is a hoax but it doesn't affect me right now so I'll let it pass, and those who have been directly affected by religion and it's evils and see no other way but to fight it as hard as they push it?
I can't speak for the other poster, nor for a capital/lowercase distinction, but your own distinction fails to include me.
To me, religion inhabits a spectrum ranging from vague reverence for the numinous, through stories (either parable or claimed history) told for moral direction, to cynical, doctrinaire oppression. I have directly experienced some of each category (though not the most extreme of the oppressive end). That latter category absolutely affects me, both in terms of solidarity and threat of future expansion, and it absolutely deserves a rigorous fight. The rest is not so cut and dry, and some of it certainly does deserve to be not just allowed to "pass" but to be protected.
With that said...
> what do you hope to gain by talking to them?
A lot can be gained by talking to people you disagree with, even people you fiercely oppose. Aside from the other poster's excellent answer ("I like to be friendly with my neighbors, if not actual friends"), engaging ideas that you don't share is a good cure for your own ignorance and may provide ammunition for the battles actually worth having.
> don't let them in. keep them very far away from you.
Your post suggests that you go beyond your claim that religion is a "mental illness", that you seem to believe said illness is contagious even to the unafflicted. Have a little more confidence in your convictions!
as far as; is it contagious?
yes, it's incredibly contagious, in the sense of a virus and how viruses are spread.
We have two immune systems in our minds, logic and fear.
Logic tells me when something is feasible.
and fear tells me when it's not.
religion overrides logic with fear to hook into your faith subroutine and take it over.
everyone is susceptible to this attack, but those who are poor, hungry and desperate for something better are more susceptible than others.
so while talking to your neighbors is good and all, you and your kids are now more susceptible to attack and all it will take is getting you when you're at your weakest, and they'll be there, waiting.
it sounds more nefarious than you think it is, but they, like men with women, are only there for a single reason. theirs is different but singular as well: to infect your mind with fear and self doubt and open the way for religion to come in and take over.
and once it does and your fully in, it doesn't matter if you change your mind later, because now you have to change your families minds, and they may be more affected than you depending on their defenses. and kids have none. and so now you're stuck and you make excuses and stick up for your lapse in judgement and infect others because you're totally bought in.
I've seen it too many times for it to be a one off. I've been told by so many religious men that they are only in it because their wife/family is. but they don't understand that by letting it happen they're creating Another generation of logically weakened humans.
and therein is my issue, religion makes us weaker, easier to dominate and placate. religion is a virus.
I'm always curious about how people react to unwanted solicitation.
When it happens to me, as soon as I realize I say "sorry" and close the door.
When my door rings unexpectedly, I'm more worried it might be someone I know, as I'm usually in the middle of my work day, as in hacking stuff in my underwear.
For whatever reason, in my most current job, unwanted phone calls and email solicitations have gone up 20X. With phone calls I give a polite "not interested" and if there is anything other than "I'm sorry" I hang up mid-sentence. It took me a while to be this direct, but they have no right to waste my time.
With email I used to politely say, "I'm not interested" to the spammer's email. (I've been on the other side, and it's tough work) Then I realized that it's just feeding the beast, so I usually ignore and mark as spam.
I do the same. Almost no one has my landline phone number, so whenever I get a call I paste the number in Google. 9/10 times other people have already reported it as spam. I then proceed to blacklist it which can be done from the phone itself and takes about 5 keystrokes.
One app I've always wanted to write is one that intercepts incoming phone numbers that are not on your contact list and do a quick lookup on those reputation service sites and display it side-by-side with the number. Similar to how iOS has recently added the "Might Be John Doe" based on numbers it has learned about through iMessage or Mail.
Maybe iOS 10 has added enough functionality on the call screen APIs to allow it (I haven't honestly checked), but up until now there hasn't been a way to tie into calls like that without actually writing an entire VoIP backend so you could control the complete call flow.
Generally, if it's not in my contacts list, then it's unsolicited and flagged spam. I won't answer unknown phone numbers (as I get a large number of spam calls in Spanish for immigration and high interest loans coming from or spoofed to the same area code and CO as my number, so even "local" numbers are suspect to me). If I don't answer, they leave a message, and it is someone or someplace I know about, then I'll add it to my contacts. If I answer an unknown number, just the act of asking "Hello?" seems to be about the equivalent as clicking an unsubscribe link in a true spam message; it notifies the spammer that they've got a warm contact that they can resell or contact again.
Yes I am. I know iOS allows someone to dial their emergency contact from a locked phone, so in that case I will receive a call from the person's phone that I know about. Otherwise, they leave a message and I get to it immediately and call them back.
The reality of an emergency situation where someone I know has me listed as an ICE contact and someone else calls on their behalf from an unknown number is that I cannot do much to help them in a situation that a minute or two of phone-tag would introduce. That's what 911 and other emergency services are for. If you are ever in a situation where you come across someone that has just sustained major injury, who are you going to call first? Their children or spouse to let them know of the situation, or medical help via 911? I'd hope you would chose the latter to get them the critical medical help they need before you inform someone else of the situation.
Additionally, if you're the emergency contact and I don't answer and you immediately call back, I'll probably pick up.
I don't normally block numbers, just let them voicemail me if I don't recognize it, but if a spammer will double-call like that I'll block them, and it means I'll pick up for emergencies.
Has anyone ever been double-called by a spammer? Honest question. I never have.
I suspect they're generally working on some pretty razor-thin margins with these things nowadays [1], and chasing someone who didn't twitch at the bait is probably a losing proposition for them.
[1]: Between all the easy competition and the incurred legal risks. Legal risk is a funny thing because you're basically rolling the dice on being able to collect money without getting in trouble. I wouldn't be surprised a full and honest accounting including legal risks yields a negative net expectation for phone spammers, it's just that even so, some people will get lucky and "win".
> Has anyone ever been double-called by a spammer? Honest question. I never have.
I have. Most of my spam calls have been of the "Rachel from Cardholder Services" variety - and while they usually dial from different numbers to give me the same damn spiel, a few times I have been double-dialed from the same number.
I do the same thing, unapologetically. In an emergency, I'll get a voicemail immediately after the call, tap once to play it, and call back. I'm not an EMT: if that extra 30 seconds matters, the number to call is 911.
It would be extraordinarily unusual for someone to have my number but not be able to call from the phone storing it. Anyone I'd be an emergency contact for, I have their number(s). There are theoretical problems with not picking up, but no practical ones that I've ever come up with or had suggested to me.
In an emergency situation do you think that everyone will be calling from their own phone? What about people who list you as a medical emergency contact or work emergency contact?
Do you expect that they wouldn't be either calling from their own phone, calling more than once, or leaving a voice mail? There are two people who I would lay money on knowing my phone number by heart, and only one of them lives within an hour of me. Everyone else will be stuck looking it up on their phone.
I often go out without my phone, have the ringer off, have a dead battery, or ignore the ringing because I'm driving. It's ridiculous to assume that I'm instantly available 100% of the time, or that I wouldn't treat different incoming numbers with different priorities.
This has only happened to me in apartment buildings; it's either some proselytizers, or people pretending to work for Con-Ed trying to scam me out of money. Either way they're trespassing, and in the latter case actively trying to harm me.
The last time this happened, I technically wasn't on the lease, so my wife discouraged me from following them around the building, introducing myself to the neighbors and breaking their spiel.
I find the phrase, "I'm as a armed as I am dangerously and violently psychotic" to be a fabulous ice-breaker. Since I'm neither armed, nor psychotic, it's a true statement and not my fault that they probably didn't get that part.
IF I am running up-to-date versions of Windows and Chrome, and I click on this link, is it game over? Or do I get another chance to refuse installation of whatever malware is in the payload?