back to article That PowerShell 'fix' for your root cert 'problem' is a malware loader in disguise

Crafty criminals are targeting thousands of orgs around the world in social-engineering attacks that use phony error messages to trick users into running malicious PowerShell scripts.  This latest Windows malware distribution campaign uses fake Google Chrome, Microsoft Word, and OneDrive error messages that look kinda like …

  1. gryphon

    If a company is allowing outbound access to the open internet on a device that allows a normal user to get to an elevated command prompt or shell that's just foolishness anyway notwithstanding this issue.

    For home users then that unfortunately goes back to an education issue.

    1. Anonymous Coward
      Anonymous Coward

      So, for home users:

      Despite my mum programming mainframes in 1970 before she had me, my dad is on the polar opposite of the IT spectrum, and needs help with some tasks. However, instilling a sense of cynicism has actually kept him safe: he calls when there's a pop up, or dodgy looking email. Even when I forgot to update my credit card details for GSuite, he called immediately

      It's taken a while to get to this point, but I'm proud of him for not falling foul of such miscreants

      For enterprise users:

      My company runs frequent phishing campaigns which have taught the workforce really good internet hygiene. But, shockingly, despite being referred to training should you click on link, there are still those amongst us which do it. It has been effective, though

      1. Mike 137 Silver badge

        "being referred to training should you click on link"

        Why are links you shouldn't click on appearing on the desktop at all? There are perfectly good and well established ways of preventing this happening. Relying on the least technically expert echelon as your first line of defence is (apologies for the jargon) just stupid.

    2. Mike 137 Silver badge

      "For home users then that unfortunately goes back to an education issue"

      The 'education' is very simple -- "don't ever act on any online prompts to adjust your computer in any way", or more generally "don't automatically trust anything found online"

      1. PRR Silver badge

        Re: "For home users then that unfortunately goes back to an education issue"

        > "don't ever act on any online prompts to.......

        But it wasn't online. It was on my computer. My computer is always sending me messages about one thing or another.

        Seriously? I grew up hacking, and it is not always instantly clear to me how to vet the many things my computer complains about. My father was in at the beginning but toward his end he got fooled once we know of.

        1. VBF
          Unhappy

          Re: "For home users then that unfortunately goes back to an education issue"

          Well said.

          I have a friend who often tells me "I got this or that on my computer today"

          I have to explain to him that he's seeing something on the INTERNET not on his computer and reiterate the dangers of accepting it.

          Fortunately, he's learned to ask the right questions BEFORE he clicks on unknown "stuff"

      2. Brave Coward

        I would say

        "don't automatically trust anything" *ever* is quite a good rule of conduct in general.

        A bit paranoid, sadly, but useful.

      3. CowHorseFrog Silver badge

        Re: "For home users then that unfortunately goes back to an education issue"

        And yet its amazing how many people just update their POM or a DOCKER file with some random dependency or image url.

      4. L. GASC

        Re: "For home users then that unfortunately goes back to an education issue"

        Some users have a scare of features as technical as a settings panel, so never would they ever interact with an actual command line. Could here this prove beneficial?

  2. Anonymous Coward
    Anonymous Coward

    Hmm

    Since one of the elements targets cryptocurrency addresses are these criminals hoping to get a slice of ransomware criminal activity?

  3. RedGreen925 Bronze badge

    hahaha, simply amazing and quite frankly well deserved for the morons who will fall for it. They deserve everything they get for being stupid enough to run some random bit of code suggested by a pop up on that virus/trojan delivery system that masquerades as an operating system, let alone using it for anything important. Yet again exposing it for the piece of garbage it is that it even allows things like this to happen.

    1. doublelayer Silver badge

      Oh good, that means you know of an operating system that would prevent someone knowingly pasting code into an admin or root CLI from causing damage. Please tell me what it is. I've got a couple versions of Windows, Mac OS, about a dozen Linuxes, and a few BSDs and none of them can do it, so I'm always interested in an idiot-proof and even a malice-proof OS. Of course, your critique means you have such a thing, right? Not that you have no clue what you're talking about and want to castigate someone you dislike for something that everything would be vulnerable to?

    2. MOH

      With an attitude like that you're bound to fall for a scam sooner rather than later

  4. Terry 6 Silver badge

    I've received emails that look plausible enough for me to give at least half a thought they might be real and so to clicking a link. I haven't- but only because I'm allergic to links in emails and they make my paranoia flare up something terrible.

    But I'm mid-60s, have been using computers for half a century, and been training people on how to use PCs for much of the last 40 years. And if I'm not convinced I'd never get caught, the odds that a two fingered Excel pilot would get caught by a carefully crafted hook are close to certainty.

  5. Steve Aubrey
    Joke

    Amish computer virus

    We aren't terribly far from this:

    You have just received the Amish virus. Since we have no electricity or computers, you are on the honor system. Please delete all of the files on your hard drive. Then forward this message to everyone in your address book.

    --Thank thee

    1. Cthrag Yaska
      Joke

      Re: Amish computer virus

      Surely they need to be told to forward the message before deleting all files (including their address book)!

  6. Martin M

    If Stack Exchange ever gets compromised

    … civilisation is screwed.

  7. MuleD

    SMB Attack Vector

    IF I were a bad actor looking to target a specific segment, such as those with elevated privileges, this type of attack might be perfect. Hear me out on this before you lambast me with criticism. Clearly this attack should not work on seasoned System Admins, PKI Admins, cryptographic gurus etc. BUT....There are millions of small and medium businesses out there who have one overworked system admin or worse yet an "IT Guy" who is also the shipping manager and the building coordinator whose job it is to keep the computers running. Even if these unfortunate souls have a little formal training on Windows Servers its very likely that they have no training on the black magic that we call cryptography or certificate servers or PKI. In fact I will bet you my private key that they run from the topic because the one thing they know is that a certificate problem can have major impacts and they don't want to be embarrassed when they don't know how to fix it. Sooooooo, if you made the bait look official and like something MS or GoDaddy or CISA would put out about fixing a certificate error, Bob's your uncle your in, at least with some. Then once you own the SMB you can see what deep pockets targets the SMB has connectivity to. --- Just a Thursday morning thought-- MuleD

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like