GitHub comments used to distribute malware (BleepingComputer)

Posted Apr 24, 2024 15:16 UTC (Wed) by wtarreau (subscriber, #51152)
Parent article: GitHub comments used to distribute malware (BleepingComputer)

I find the principle of operation really awesome. I mean, how to trust a well-known name on a well-known site. It's comparable in principle to those who were placing high-profile company names inside their domain names or as a host name part of their domain to appear legit to the untrained reader.

Maybe as a fix it could be sufficient to hash the whole URLs and only deliver cryptic hashes for these downloads so that they don't appear more trustable than any othe one. Another approach could be to prepend "unsafe-area/" in front of the repository names maybe.

GitHub comments used to distribute malware (BleepingComputer)

Posted Apr 24, 2024 15:26 UTC (Wed) by mbunkus (subscriber, #87248) [Link] (1 responses)

I like the idea of only hashing, but noch so much of adding a prefix, whatever it may be. We humans tend to latch on to known things, meaning we might spot a well know repository name in the URL and then just stop scrutinizing the URL further.

GitHub comments used to distribute malware (BleepingComputer)

Posted Apr 25, 2024 15:41 UTC (Thu) by wtarreau (subscriber, #51152) [Link]

There are pros and cons there. One difficulty that may arise with only a hash is that if some deployment systems become popular based on this, users will be trained to trust any hash, thus all of them will look legit :-/ Worse, there will be no way to figure where it was posted. At least with a prefix it can help figure some context.