How Hackers Deliver Malware to Hack you using Social Media
Вставка
- Опубліковано 14 бер 2024
- Popular Facebook Pages and Social Media posts that look official often link to real malware that will hack you! This video demonstrates such an example. Want to learn pen-testing and brute force attacks to test if your website can be hacked? Use code PCSECCHANNEL10 to get 10% off or try for free: pentest-tools.com/?... (sponsor)
Join the discussion on Discord: discord.tpsc.tech/
Get your business endpoints tested by us: tpsc.tech/
Contact us for business: thepcsecuritychannel.com/contact - Наука та технологія
The internet really is just files, directories, and connecting to someone else's computer. haha
I remember the real early days when you could browse remote servers entire drives.
@@kjisnot me too. You could put a popular web address into your ftp program and see everything they had.
I remember in early days there was websites hosting remote control of literal computers and allowed you to do anything on them. (Found out cause I wanted to bypass schools firewalls)
I remember the real REAL early days when I used to push electrons through cables by hand.
And remember- Cookie Catchers bypass 2FA cuz you're already logged in
So do tenants n Aa you mentioned tokens
That's why you should delete them regulary
@@Kaiserschmarren problem with that is, you need to accept all cookies again everywhere and you will need to login again, and what does that do? It gives you a new token in a new cookie and yoiu're back where you started.
@@csparty11 you can choose to delete them with every time you close the browser. But its not for everyone
@@csparty11There's this handy-dandy option to NOT accept cookies; and if you're using Firefox, there's an option to autodelete cookies when you close the browser.
9 hackers disliked this video.
Now it's 17
avoid running any unknown executables
That's a little bit paranoid but you are right.
that works until you need to download some new program and you can't even be sure which website is official
Considering that from a User's perspective, every executable is unknown - you might as well just say "don't own or operate a PC ever".
I'm now subscribing. Always good to learn new things (and be reminded of things of I'd forgotten about - processmonitor).
Also, I want to thank you for not playing any music while you are speaking. I wish more and more YT hosts would stop playing music while they talk.
Thank you for this video! Very informative!
Thank you for such a great video and educating the community. This makes me influence to do an analysis of this malware and recorded in my channel.. I did basic things of it and that was fun. Thank you again !
No words ... this is fantastic information to have and pass along.
Awesome! Thank you for Sharing! 💯✴
Ive been watching ur videos for months now and i still have no clue what ur really doing but i think its great
He's downloading files and then going to a site called VirusTotal to figure out if they're malicious. Very simple. Not sure where the confusion is.
Liked how in the video about clicking links to download some soft - provides a link to download some soft :)
i've been following you since you are 1k 😮 🎉 Amazing
thank you for the info keep appreciate keeping us up to date just carious if you deleted the data in the cookie file would that delete the stored data or would that cause other issues
What server did it send it to?
That was amazing, but remember there are people like myself that are not as familiar with the procedures as you are. It would be nice to decide that presentation into smaller potions and walk us through each one..
Bro has 639 videos on his channel....
Cool stuff here. Thanks !
One tip regarding MSI file. You can use third party application like Orca to see what's inside, particularly on Binary table section, where I believe it's where the script is located.
there are many ways, including use of command prompt, or 7zip
@@user-od4gs3iu4t link on how you open MSI file. especially 7zip
@@noobnoob5072 1. Command prompt -> msiexec /? and pick up the parameters that you need
2. The easier way is to install 7zip, right click your file and choose 7zip -> open archive, then you see the content and can extract it completely or some parts of the container
Just curious, were you running defenderUI or just the stock defender?
At this point the blame has to be placed on the browsers, why aren't these cookies encrypted? This seems like an incredibly flawed system
I agree, all cookies should be encrypted, not just some. smh
Oh and the password protected archive and installer are a giveaway of something fishy. People should be a little more wary and not be clicking on everything random online.
even if they did, they could grab the whole folder containing the profile and just copy/paste it in their PC and they would be logged in the sites as much. (i know it works since i am using my FireFox 115 ESR folder from windows 7 i just updated on my FireFox 123.0.1 on windows 10 like it always was on win10.)
encrypted files are useless when you can just copy it.
encrypted files needs to be decrypted so that the website can tell who you are. does not matter if the decryption happens in browser or website, the browser will just read the encrypted file or pass it to the website for decryption
@@ArtflPhenixyep exactly, same with my reply to this comment, they can just copy the whole profile folder and they put it in their same browser and it will all be logged in, then all they do is change your passwords. the browser will decrypt it since it has to be able to, to use it.
on a side note, the only reason encrypting passwords on a site to help with data breaches is that you hold the decrypt key, they hold the password so even if they have the password files, they do not have the millions of decrypt keys. but it does not work the other way around. there is one decrypt key (the site) and anyone accessing it gets the same key. that is why it would not work.
@@ArtflPhenix- Well the browser should encrypt and decrypt it in memory when needed using AES256 which is currently uncrackable without super-computers.
Hi Leo. Do you think it would be possible for you to show what was the command executed maybe in a follow up video? It would be fun to see how you can get to the information. Decompiler or something?
Where to do see the cookies stealer running on the background? Because you enter to the temp cookies files, so how you be able to detect the scraping?
Heya it’s been awhile but I’m back also great video so far
Thanks 😊😊😊😊
Part from commonsense. What is the best way to protect your "cookies" ?
no easy way really, other than having solid proactive protection from infostealers or access control to prevent unknown applications from reading your browser folders (this would be only possible with specific enterprise solutions).
This file my guess is not signed, and just PRETENDS to be a legit installer from a recognized and reputable company.
Standard windows protection might be enough to notify the user that this program is not from a trustworthy source. Meaning they should be activated, like UAC high security, all features from MS defender. And non-administrative account.
Users should just understand the importance of these simple steps
Don't click on every stupid "You won a millions dollars!" or "Download this free app!". that should take care of 90% of the crap.
yeah the advice not to click every link is a kind of universal safety measure.
well the good protection is simple: estimate your risks and find the best security measures to counteract them )
But the way to estimate and find measures is not always easy )
For a normy user in most cases would be enough to sit behind firewall in a router, installing MS defender with all activated features and desirably those in defenderUI, configuring secure DNS, VPN if travelling a lot, and some good desirably open source programs like Mullvad for internet browsing, LibreOffice, Foxit or Okular for office/productivity.
Good also to have Portmaster as a better firewall and COMODO as a better HIPS utility.
That's it ) Now backup your data and start sleeping well without nightmares about loosing all the data )
@@BillAnt Sound advice. You still have to pay for your lunch !
Is there any view to view what that CMD contained?
> New technique using infrastructure provided by big techs
> same old phishing email text
Can't browsers somehow encrypt the cookies so only they can access it?
Something like downloading music from Spotify - it's encrypted in such way that only the app itself can play it.
Or at least Windows shouldn't allow 3rd party programs to acess browser data folder.
Yes, they can encrypt it with a passphrase. And where are they going to store the passphrase? On this computer... Yes, other apps should't usually access others' data. But he just ran an installer which asked for full admin access and was given it by the user.
@@MartinWoad- Encryption/decryption can be done in ram without storing the keys.
@@BillAnt Then the key is still on your machine. Harder to get but not impossible.
@@MartinWoad- Much more difficult, and RAM can be protected too. As is right now, it's just grabbing a file, crazy!
@@BillAntThis implies that you will lose the encryption keys as soon as you close the app.
Why not store the cookies in RAM at this point? I think incognito mode already does this
Edit: it seems that cookies might still be stored in a cache folder in incognito mode 🙃
I just subscribed to your channel. Because 2 days ago my PC just got hacked because I installed an unknown application😅🙏. Now my PC is being repaired
Sir what AV is good now?
I was expecting you do wireshark or something similar to see what is being sent and to whom.
I wish we could learn much more details about this malware but that’s fine.
Nice video!
don't install anything from links on Facebook 😅
Or UA-cam, or Instagram, or Tiktok, or...
@@JohnDoe-wl8zkanywhere
Can you make a video on, how to determine which IP is really bad and which one is not? Simply my meaning is cancelled you explain the virus total IP thing.. sorry for bad English.. 😢
I would appreciate an informative video for a beginner about how to setup a moderately secure virtual machine. Enough secure that you don't need to be afraid that your host machine, the same physical pc, get infected. Why not one video with WMware and one with virtual box. Please tell if you already have this... 😊
Hey could you make a video on removing Ai service I think it’s a virus I’ve had it on my pc for a long time and it starts up but it self and uses all my cpu but I don’t know how to remove it
If it's an info stealer, then the files have to be sent somewhere. What if you do a man in the middle and intercept it and replace the files with a ransomware and encrypt the attacker entire system which would prevent them from accessing the stolen information that would be use for malicious activities?
In the source code there must be some kind of filter for which files to send and which to keep. Files can get really big and traffic can get noisier which is not in the interest of the attacker. I doubt they would pull your exe files, especially ransomware. At the end of the day, they invented the same ransomware they get so they could decrypt their files automaticlly.
@@pera4754they would not take a big file unless they don’t know what they’re doing you detect is easily if it’s over mb even
When you spin up a virtual machine to test out malware, are you ever worried that the malware will infect your hypervisor or use some other vector to infect your system beyond the virtual machine?
you normally need only NOT to allow direct access to your host machine file system, so no file sharing etc. Other than that you are pretty safe, and if bad thing happens just reverse the system state to a saved point
Why do websites allow multiple devices to login with cookies? I would think that if another device tries to access a site using login cookies it would fail and ask them to re-login.
Hi. What does Windows file scanner detect with that msi file? What digital signature does that msi file have?
it doesn't have any, unknown publisher etc. Shouldn't be run, and any HIPS utility, or MS UAC, or MS defender will pop up to inform the user and will ask for admin privilege to continue installation
This has been going on for months, multiple websites created with multiple social media pages, everytime I get one taken down another appears. oh and multiple versions of the download file.
is there anything you can do against infostealers (apart from having a good AV)
you can do definitely quite a lot against this threat.
1. Secure DNS or VPN
2. Yes, good AV certainly helps. Those with zero trust are especially helpful
3. Regardless of protection, avoid installing some shady software, and opening pdf/office files. If need to, disable scripts and macros. This is at least partially covered by DefenderUI utility, which works for MS defender, and might be something similar configuration options in other AV as well. It's also safer to look these files in a virtual machine.
4. Block lists. The more the better. Some are included in VPN/sDNS, some other are browser extension, and many more.
5. Good updated browser. Browser like no other program connects you to internet and should make the best to protect your privacy/security. The best to my opinion are Mullvad and LibreWolf, and might be Tor. If you prefer a more common browser, then you better harden it, and install "noscript" browser extension.
6. Worth to mention the standard security practice: use non-admin account for work. Increase UAC protection level to some high alert mode.
7. Last but not the least is the common sense. No AV can guarantee your protection if you reply an e-mail and write down your credit card numbers, home address etc. So YOUR PERSONAL ZERO TRUST when you go to internet or check your e-mail has to be activated as well )
Hope this helps
Why didn't you run Process Monitor to show the files that were created/executed when the malware installed? It would have been interesting to see.
Can you cover yubico?
I have reported the profile but the Meta said "It doesn't break any community Ad guidelines" 🙃🙃
I also report to the 3rd party link website and it got removed but still the main source [Facebook page] remain.
I keep reporting these promoted posts as scamming on facebook, but yes its not against community standards
how Network isolation in vmware ?
Is there any protections against cookie stealers?
Would it be possible to encrypt the cookies until you access a webpage that requests the cookie? In which case you have to put in a masterpass of sorts, or use some UAC prompt or anything at all to decrypt those cookies within the process memory so no other programs can just read the cookies off disk?
yes 8-)
1. Don't install some shady software and don't run some random applications. Use digitally signed soft, or freeware open source if you trust the creator or checked it by yourself or community
2. Install "noscript" browser extension to get control of the scripts in your browser. Activate, deactivate, or activate temporarly, tune permissions for any website you want
3. You can use private window in most browser to run a cookie-free session, to enhance your privacy/protection.
If this is not convenient, you can install some more browsers which you can use specially for cookie-free sessions. Some like LibreWolf, Mullvad, Tor are privacy-focused and also give you enhanced security from data leak
Sure, but there could be a zero day in some software. If you are signed in to a lot of stuff you're wide open. If you have all personal data locked behind a password for each access, then as soon as something tries to read it outside of the proper programs, it won't work.
Android has basically a separate space for each app to use. Shame windows doesn't have such thing.
@@AgentM124 zero day can be for any apps and for any system. Do not trust all your personal data to just one computer. Never. If you value the data, that means.
Security and data protection/backup/archiving are different topic. Here most talks about security, the channel is about security, and the topic is also about security.
But we can talk about data protection as well )
Have you configured Defender using Defender UI on this VM?
No its default defender
Do these cookie grabbers take the cookies from all your browsers? let's say you have chrome, firefox and opera installed. Or does it take the cookies from your active browser? as in the one links open in when you click them. I use different browsers for different things, but my default browser is firefox loaded with noscript, adblock and plenty other exensions that mostly break sites the first time you load them, but at least it lets me choose what to allow or block.
if you talk about some known issues with java script vulnerabilities, then the security model that you use looks safe. With some doubt about Opera, and chrome as well since it is not completely open source. I would replace them with Mullvad, Tor, or Librewolf.
It's not a perfect defense, it won't protect you from zero day.
The whole idea of using different browsers comes mostly for convenience reason, to avoid changing many settings. And then just appointing the role for different browsers, so your everyday use Firefox with noscript and ad blocker, Mullvad for example is for shopping, Librewolf for testing.
If you talk about malicious software in general, then of course it can grab whatever you have on your computer. And I have no idea what was that shown in this video ) Someone in comments wrote that the installer put some "extension" for browser, but no further information so far )
@@user-od4gs3iu4t You have zero clue what you are talking about and are just waffling nonsense
In answer to the actual question, yes they steal cookies from most majour browsers and what browser you have makes no difference
@@sylussquared9724 hello. Are you my stalker?
Is there no way to protect the cookies on your laptop by using encryption or some anti cookie stealing software ?
1. Installing "noscript" browser extension for daily use in your main browser.
2. Using "private" window for cookie-free session in case you need to visit some trustworthy website but have to activate its scripts cause otherwise it doesn't work properly. It's a case of privacy-focused session.
3. Installing one more browser like Mullvad, LibreWolf or Tor for visiting some shady zones or experiments, if you need it for any reason. It's for security purpose
@@user-od4gs3iu4t None of these help
1. Installing noscript has nothing to do with cookie stealers and cannot prevent you from downloading malware
2. Cookies in private windows are just cleared when the window closes so if the malware is run while the private window is open the cookies will still be stolen
3. The browser makes no difference, cookies can be stolen from all
In response to the actual question, the best way to protect your cookies is to just use your bran and don't download cracks, cheats etc as well as using a good AV
The cookies can't be encrypted because, simply put, websites and programs need access to them so people would end up always clicking yes when a program asks for permission or asks for the password to decrypt them (like with UAC)
@@sylussquared9724 thanks for going to a point this time instead of just stalking me.
1. It helps greatly in fact. The examples are cross-site scripting. This is already known vulnerability, but might be more to come. It helps to avoid bad consequensies of mistype, thus it's a passive protection for your credentials based on misnomer and phishing.
2. You can check this in your own browser that you open the new cookie-free session. Well if you use a good enough browser, being said.
3. Your statement contradicts with your another statements about sandboxing the browser session. Stealing cookies comes normally in the context of data privacy and safety. If you talk generally about malware, then literally ANY data can be stolen, that's why it's not worth to talk about cookies only.
I didn't force a meme about encrypting cookies. On the contrary, I wrote the arguments similar to yours. So there is no point to discuss this topic
Please confirm was it detected by Kaspersky?
Put the hash of the file into virus total: bb7c3b78f2784a7ac3c090331326279476c748087188aeb69f431bbd70ac6407
Its detected by kaspersky
How do they use the credentials to hack your account? Do they get the password from the credentials or is it only temp login?
They unencrypt the credentials from base64 to plain text, then they can see your name, passwords, everything. or they will just install your credentials into their system and the website that matches these credentials auto signs them into your account. All the website knows that is You on another computer.
PC Security Channel is a great channel, but John Hammond has a great channel as well.
@@REktSigMa- The website should check the IP on every single page access, so even is the scammer can replicated your session login, the server should catch it and request a new login with a username and password.
These people know how to get around anything after they have your credentials, IP is probably known as well, and with VPN's who is to say they cannot be in your country. Even VPN's are not safe. @@BillAnt
Matter in fact I think PC Security Channel has a video on IP spoofing. I think so? @@BillAnt
What command was run?
looks like just an installer. After that it does everything itself according to its ps script
So there is no real way to protect these(cookies and cookies_tmp) files from getting stolen if there is info steeler in your pc?
Isolated programs are one way, but it isn't easy
don't install info stealers )
use "noscript" extension in your browser to get a tailored control about the scripts running in your browser
It didn't detected because it's so big.
I Have Did Some More Research In This Its Actually Install Extension In Your Browser With Name Google Translate That Extension Send Your Cookies To Server And Remain Undetected
cool. is this digitally signed installer, or without it, or not a trustworthy company? any other signals about malicious origin of this utility?
@user-od4gs3iu4t It's a normal .msi installation that most antivirus programs will not flag any kind .msi. The .msi simply runs a CMD code that installs an extension in all the browsers on your PC, which also isn't flagged by any antivirus. The extension in Chrome can actually steal your data. It bypasses Windows Defender and other antivirus programs because it doesn't steal from your PC directly by running malicious code.. its steals from your browser hope you understand what i mean ...
@@UmarFarooq-qi6qj yeah, I understand what you mean. My question was about signature. These type of installers may or may not have a digital signature, hash tag and other security information. Did you check it? Pretty sure that there is no or some shady signature, just interesting
@@UmarFarooq-qi6qjCan Kaspersky stop it?
I would check this file by my own, but my Portmaster blocked FB/meta completely )
I enjoy this freedom and don't want to touch my settings )
can i get a virus just by clicking on a link or visiting a page? u downloaded something and executed, can u get a malware if u just download and you yourself never execute (maybe the pc will execute automatically after reboot or smth)?
yes, it's possible. Called malicious scripts. First extension that should be installed on any browser is "noscript". Then some ad blocker with malicious/phishing filter list. Helps greatly to improve your browser security.
Any downloads should be carefully checked, including digital signature, its signer and validity, file integrity etc. And remember that it's always better to download from a reputable file source that just from a file exchange server
Theoretically yes its possible, practically no. To get hacked by just clicking on a link you need to be targeted by a vulnerability worth tens of millions. Said vulnerability are only used against companies and people governments hate, so just don't be either of them
@@user-od4gs3iu4t It may surprise you to learn this but ALL scripts on browsers are sandboxed meaning they cannot access the machine in any way (unless allowed in very specific ways by the user)
Sylus, have you heard about XSS? probably not.
Your another statement is wrong as well. Your browser may access to your file, but after your authorization. Which may be done by you if you by mistake went to a wrong web site and thought that it is your bank web site, for example. This is a kind of misnomer/phishing attack. And "noscript" gives you one more chance to recognize that you went wrong )
No security is perfect, and unlike your statement something like "user will just click ok and proceed" this one more notification might be of great value for people who need a secure system running
Why is the page still up? Has it not been reported to Facebook?
reporting it needs a certain volume untill it goes to human review. its just not recommended to similar audiences or just goes away from your personal feeed.
it's all systems , plus Google and FB having fired all the human review teams means that thing is going to be around for a very long time.
Facebook just doesn't care
Their platform is full of malware and scams and they do nothing about it
What's more ironic? Facebook's parent company Meta has open source AI models that you can actually run in your PC*
*PC must have a dedicated GPU or 16GB of RAM
Why everyone has MS SharePoint enabled???
who? where?
@@user-od4gs3iu4t You can see it running at 3:36. It does nothing it seems, it's just there. Can't find it elsewhere and I don't use it, but is running in background.
@@ianthehunter3532 he probably has MS office or whatever its new rebranded name is. I don't have it, long time LibreOffice works well for me
I ALWAYS report those pages and adds as scam to Facebook, Instagram, etc but they keep coming up. I guess as long as those platforms gets their share they don't give a dime for their users personal data, despite their policies regulations etc. I guess that, at the end of the day, there are some "users" that deserve their bank accounts to be emptied by "A.I.", after all it will use the money more intelligently...
Anyone with some computer literacy should be able to catch this lol
Okay but what command is getting ran now?
You completely missed that point
All you did was just execute it and then upload it on virustotal
uhu. Very scarce info
Just a small thank you for you work and advice, it's been very helpful
I just wanted to ask you what think about the current emergence of AI and how it may be used both against us and for protection, thank you.
Thanks! I’ll address this in a future video.
AI vs common sense, stupidity wins
always unplug your router before clicking on anything you just downloaded
to begin with, you don't need to unplug anything if you have a configured firewall. The second thing: this is not always enough to protect your computer from malware. And third: it's more rational to let your AV stay connected to database and cloud center for a better protection
I just learned to use MSFT sandbox. it should keep things neatly contained for regular users who don't trust something and I don't need special permissions from the admin unless your company policy is different then reach out to them.
@@user-od4gs3iu4tFirewalls have nothing to do with this
@@sylussquared9724 firewalls won't allow any unknown applications to send/receive anything to internet. The newly installed utility thus has to use flaws and backdoors of the system to get what is supposed to be. It's not a perfect security feature, but the general system security is made of a bunch of hardened and restricted components, and can never protect from all the risks, instead reduces the risks according to swiss cheese model
This could have the unintended effect of stopping AV cloud analysis
I thought as soon as you click the link you'll get hacked.. Is it possible??
Listening to what Pegasus ( NSO group) does from the various reports . you don't even need to click anything. As long as the device is on. it just targets you remotely based on your phone number or esim.
I have heard it works on Android and IOs both. initially it had the limitation of having to send via email or what'sapp and telegram chat applications but there was mention of zero click install.
It only get removed when the device is factory reset.
@@tanmaypanadi1414 While you are correct, said malware uses exploits worth tens of millions and pegasus doesn't waste them on average everyday people
Unless a government is after you, you are not going to get hacked from just clicking a link
malicious scripts. Get some protection with "noscript" browser extension
@@user-od4gs3iu4t No, research what a sandbox is and how browsers use it
@@sylussquared9724 just interesting: do you have a security studies certificate?
😮Just another reason not to use Facebook.
Once again: thank you for using your reach and bringing attention to this. Every time I try, it feels like a droplet lost in the ocean... this has been going on for a while. We need better protection for Facebook boomers urgently.
i hate people just literally fall for it
why would microsoft name their browser that? they shoulda just stuck with internet explorer
👍👍👍
can you test avast?
Avast, avira, avg all owned by norton, all terrible
Damn maybe google should scan their cloud for malware lol
that's why they password protect the archive, so that Google cannot scan it.
Well damn maybe google should make it a default feature to unpack everything uploaded to their cloud by passing password locked protected folders
@@Darkregen9545 do you expect them to brute force every single archive uploaded to their servers? That would take literally billions of years, it's not feasible.
Thing is if Microsoft created strong anti virus then they have to make it paid so yea mc defender is trash
I suggest to have some second opinion scaners plus ad blockers and dont donlonowad everything from unknown websites
yeah. No guarantee that MS defender will stay in a good shape, or will have some paid version like subscription. But the base principle is not to rely on AV active defense, instead on HIPS and other proactive features. Cloud based defense is OK for an average user I guess as well
If you are using Linux, that .msi file wouldn't have worked. 🤪
Well, of course. Most attacks are targeted at windows because realistically speaking, most people who used that link were windows users. Probably 95% of them or even more
A F$&@% Here we go again.
Hi. If the wesite has cloudflare your tool won't work xD
Maybe they should use AI to find these malware sites 😂
Mc defender doing nothing as always
Isn't Microsoft Defender Enough? Why not?
@@lifeindivine check at 05:18 : it said that windows defender didn't detect the threat.
Hack me? With a password protected rar? Lol. Guess what, I know how these models are supposed to look because I made one myself xD
windows defender is absolute trash.
If I change HKEY_CLASSES_ROOT\cmdfile\shell\open\command default value to cmd.exe /k "%1" %* , will it prevent the cmd from automatically closing and maybe seeing what cmd done?
The biggest red flag is the address bar - Google's actual AI page would probably not have a URL ending in "AI.ultra.new". Which implies that there's an original "AI.ultra" and potentially "AI.ultra.old"... and "AI.ultra.newer", etc.
Though I do find that nowadays a lot of people have forgotten how to read (if you don't believe me, just go to any Posts or Comments tab for any mod for a game and behold people failing to learn to read before posting).