Author Topic: the Google/Youtube/LTT/Tesla/crypto scam (widespread and really bad)  (Read 3465 times)

0 Members and 1 Guest are viewing this topic.

Offline Leslieann

  • * Elevated Elder
  • Thread Starter
  • Posts: 4513
I'm sure many if not most of you saw that LTT (Linus Tech tips) was hacked the other day, they're far from alone, in fact it's happening to hundreds if not thousands daily on Youtube alone and Google isn't/wasn't doing much about it and it can happen to your account as well and not just for Youtube or Google.

Note:
This initially starts like your typical email attachment fake extension scam, it's not.
[/u]

So how it happens is this...
You get an email, in LTT's case it was disguised as a rules violation, it often includes an attached file. Yeah, yeah, you know about the extensions, this but what you may not know is that it's not always a PDF or  exe file, heck it doesn't even need a second, hidden extension, it can be a .com file. Meh big deal right, well actually this makes it to where even experts are being fooled because now it can simply look like legitimate web link, so instead of a clicking a link to Youtube.com you're actually opening an attached file named Youtube.com without any other extension. You could get a file or link named Google.com, Geekhack.com, yourbank.com or anything else and it will simply look like an innocent, legitimate link to a website because it IS a link.  Once clicked, nothing appears to happen giving a false sense of security. In actuality, it runs as an SCR file or screensaver which has the same permission as an exe file but now runs in the background.

What is really new is that it then uploads your session tokens and cookies from ANY AND ALL Chrome based browsers, Chrome, Chromium, Edge, Brave, etc. From here, the hackers basically have an exact copy of your browser, logins and credentials.  And because of how Google manages security these days, it doesn't realize it's not you. Even if you're both logged in from two places across the globe. In fact this makes it more of an issue because now you can fight for control and Google can get confused as to which gets priority on a change if you both change a permission at the same time and triggers a bug which can delete files. There's no 2 factor needed, changing passwords doesn't help, booting out all devices is also not going to necessarily fix it if done from the compromised system as it just re-uploads the new tokens as soon as you log back in.

Google is supposedly now working to stop this, however I wouldn't hold my breath as this is a feature, not a bug.
This goes deep into Google's security system and it could require a shift in how they do business, you see they purposely loosened security to make Firefox seem overly annoying, driving users to Chrome and this was how they did it. That said, this hack really did make waves so maaaaybe something will actually happen, if not, we can only hope they will next time they hit someone even bigger.  Side note, this was a Google, Microsoft and Apple initiative to eliminate passwords, not just Google, Google just happened to weaponize it to use against Firefox. My bet is we're going to hear a lot more problems now that this is in the wild before we see an end to it. Care to bet MS fixes Edge (through an OS patch) before Google fixes Chrome? (That's a joke, I don't expect either to make a significant leap any time soon)


So what can you do?
First, note that VERY few anti-virus (A/V) detect this, because this isn't really taking over the system or accessing system credentials and it has a constant changing signature, they have a hard time detecting it. A good (A/V) will flag it, but unless you have it on strict enforcement it will get through and that's often only on corporate style A/V. Not home stuff.
Second, get off Chrome based browsers (Edge, Chromium, Chrome, Opera, Brave, etc), it forces better login checks with Google. Switching to Firefox has the added benefit of allowing you to use a good adblocker (Ublock Origin).
Third, get off of Windows Mail, Outlook or any other email client that hides extensions attachments and links. Even if you enable viewing extensions, it's not enough due to the com files and even the best of us can be caught this way as it can look legitimate. I recommend enabling view extensions AND switching to a web based email or Thunderbird and just never clicking any link in an unsolicited message.
Fourth, if you get a message about a problem go to their website direct, there's going to be a way to view the problem there. Click nothing in the email.


What to do if you do get hacked this way?
Do you want the bad news or the really bad news? This is a tough one because almost everything is linked to your Chrome based browser, which they have a copy of. Your best hope is to make sure you have 2fa enabled (not that I like 2fa), and from an uncompromised system, set a new password and immediately log EVERYTHING out of the account. This will stop them for the time being and you can start rebuilding and recovering but you can never use the infected system at all, ever again (or at least until this is fixed), I recommend shredding the hard drive and possibly the motherboard. Seriously, it's that bad. You have no idea if it hit your bios and you have no idea how deep it got in your system. Any use of that drive and motherboard risks them immediately regaining access, because remember, it's the browser and token that's compromised, as soon as it's online again it can just re-upload your credentials again.

Granted, no one is sure if this has impacted the bios/uefi yet, but do you want to risk it? Harsh I know but you never know if it will reinfect in a day, week, or months down the road. Good luck finding the point of entry at that point and by then you may be doing work from home or have you own business and have forgotten about the whole incident. "I can just air gap it", please don't, proper air gaps are difficult these days. Even I.T. professionals do not want to battle this thing, it's simply too risky, you have very little way of knowing it's gone (it can lay dormant) and if it's not, once it sends out your data the cycle begins again. How many times will you fight to regain control of all of your accounts (not just Google) before you can be certain you finally killed it?

I know, parts are not cheap and it's just more e-waste, no one likes trashing good parts, especially I.T. people, we love to re-use parts, but sometimes you have to and this is one of those times. This thing is brutal to deal with, you don't want to deal with it multiple times. And if you have a business and something gets hit and you decide you just save the parts and wait... Don't. Parts always find ways to be re-purposed and people forget, they also tend to ignore warnings. So unless you lock it in a safe, there's a chance someone at your business will decide to use it. People drive around railroad signs and get hit by trains all the time, do you really think they're going to pay attention to a yellow sticky note saying not to use something that looks perfectly fine? Or you might re-use it for something non-critical only for someone later to re-purpose it for something that is and now it begins again.  Stuff like this is a nightmare so do yourself a favor and rid yourself of it.


And if you think this is bad, just wait for what's coming with quantum computers.
Novelkeys NK65AE w/62g Zilents/39g springs
More
62g Zilents/lubed/Novelkeys 39g springs, HK Gaming Thick PBT caps, Netdot Gen10 magnetic cable, pic
| Filco MJ2 L.E. Vortex Case, Jailhouse Blues, heavily customized
More
Vortex case squared up/blasted finish removed/custom feet/paint/winkey blockoff plate, HID Liberator, stainless steel universal plate, 3d printed adapters, Type C, Netdot Gen10 magnetic cable, foam sound dampened, HK Gaming Thick PBT caps (o-ringed), Cherry Jailhouse Blues w/lubed/clipped Cherry light springs, 40g actuation
| GMMK TKL
More
w/ Kailh Purple Pros/lubed/Novelkeys 39g springs, HK Gaming Thick PBT caps, Netdot Gen10 Magnetic cable
| PF65 3d printed 65% w/LCD and hot swap
More
Box Jades, Interchangeable trim, mini lcd, QMK, underglow, HK Gaming Thick PBT caps, O-rings, Netdot Gen10 magnetic cable, in progress link
| Magicforce 68
More
MF68 pcb, Outemu Blues, in progress
| YMDK75 Jail Housed Gateron Blues
More
J-spacers, YMDK Thick PBT, O-rings, SIP sockets
| KBT Race S L.E.
More
Ergo Clears, custom WASD caps
| Das Pro
More
Costar model with browns
| GH60
More
Cherry Blacks, custom 3d printed case
| Logitech Illumininated | IBM Model M (x2)
Definitive Omron Guide. | 3d printed Keyboard FAQ/Discussion

Offline fohat.digs

  • * Elevated Elder
  • Posts: 6462
  • Location: 35°55'N, 83°53'W
  • weird funny old guy
Re: the Google/Youtube/LTT/Tesla/crypto scam (widespread and really bad)
« Reply #1 on: Sat, 25 March 2023, 18:14:34 »
Thanks for this. I have always loathed Chrome and have used Firefox exclusively for what, 15 years?

But I have an Android phone. Does that mean that my efforts are for naught?

And sometimes I plug my phone into my computer via USB to download (and then delete) photos to conserve space. Is that dangerous?

Thank you again for being vigilant for us.
"It turns out that for a decade, whenever Trump wanted to get a loan, or make a deal, he would inflate the value of his real estate. For instance, suggesting that his 11,000-square foot penthouse was a 30,000-square foot penthouse.
And the attorney general of New York knew that Trump's property values were inflated because when it came time to pay taxes, Trump undervalued the very same properties.
It was all part of a very sophisticated real estate practice known as “lying.”
- Jon Stewart 2024-03-28

Offline tp4tissue

  • * Destiny Supporter
  • Posts: 13551
  • Location: Official Geekhack Public Defender..
  • OmniExpert of: Rice, Top-Ramen, Ergodox, n Females
Re: the Google/Youtube/LTT/Tesla/crypto scam (widespread and really bad)
« Reply #2 on: Sat, 25 March 2023, 18:30:45 »
LLann, my day is ruined.  this is going to take forever on all my devices with diff accounts..

if we don't do attachments, they can't get in right ?

how is it that an .scr file can run, does it download from the link, and then auto run?

does this only compromise google login stuff or everything else.



Offline Findecanor

  • Posts: 5035
  • Location: Koriko
Re: the Google/Youtube/LTT/Tesla/crypto scam (widespread and really bad)
« Reply #3 on: Sat, 25 March 2023, 19:36:51 »
How did the downloaded file get permissions to execute, and how did it start running?

Doesn't Google/Youtube hash the user's IP address in the session token?

Offline Leslieann

  • * Elevated Elder
  • Thread Starter
  • Posts: 4513
Re: the Google/Youtube/LTT/Tesla/crypto scam (widespread and really bad)
« Reply #4 on: Sat, 25 March 2023, 23:00:38 »
if we don't do attachments, they can't get in right ?

how is it that an .scr file can run, does it download from the link, and then auto run?
It needs to be run.

However...
That "link" in the email may not be a link to a domain that downloads the file, it can be a link to the attached file.
So they attach a file named "Google.com" and put a link in the email to the attachment. Then when you hover it with a mouse it looks like a link to Google.com (note the lack of http). You click, it launches.

Unless you pay attention to what the attachment is, you probably wouldn't even notice.


does this only compromise google login stuff or everything else.
This whole system was put in place to eliminate the need for passwords and 2fa.

Once a device has been authorized and approved through password,2fa, whatever, the browser stores an authenticator token which acts as your "password", it's this that they're stealing.
Novelkeys NK65AE w/62g Zilents/39g springs
More
62g Zilents/lubed/Novelkeys 39g springs, HK Gaming Thick PBT caps, Netdot Gen10 magnetic cable, pic
| Filco MJ2 L.E. Vortex Case, Jailhouse Blues, heavily customized
More
Vortex case squared up/blasted finish removed/custom feet/paint/winkey blockoff plate, HID Liberator, stainless steel universal plate, 3d printed adapters, Type C, Netdot Gen10 magnetic cable, foam sound dampened, HK Gaming Thick PBT caps (o-ringed), Cherry Jailhouse Blues w/lubed/clipped Cherry light springs, 40g actuation
| GMMK TKL
More
w/ Kailh Purple Pros/lubed/Novelkeys 39g springs, HK Gaming Thick PBT caps, Netdot Gen10 Magnetic cable
| PF65 3d printed 65% w/LCD and hot swap
More
Box Jades, Interchangeable trim, mini lcd, QMK, underglow, HK Gaming Thick PBT caps, O-rings, Netdot Gen10 magnetic cable, in progress link
| Magicforce 68
More
MF68 pcb, Outemu Blues, in progress
| YMDK75 Jail Housed Gateron Blues
More
J-spacers, YMDK Thick PBT, O-rings, SIP sockets
| KBT Race S L.E.
More
Ergo Clears, custom WASD caps
| Das Pro
More
Costar model with browns
| GH60
More
Cherry Blacks, custom 3d printed case
| Logitech Illumininated | IBM Model M (x2)
Definitive Omron Guide. | 3d printed Keyboard FAQ/Discussion

Offline Leslieann

  • * Elevated Elder
  • Thread Starter
  • Posts: 4513
Re: the Google/Youtube/LTT/Tesla/crypto scam (widespread and really bad)
« Reply #5 on: Sat, 25 March 2023, 23:03:30 »
Thanks for this. I have always loathed Chrome and have used Firefox exclusively for what, 15 years?

But I have an Android phone. Does that mean that my efforts are for naught?

And sometimes I plug my phone into my computer via USB to download (and then delete) photos to conserve space. Is that dangerous?

It's ANYTHING Chromium based, regardless of OS.
On Android, use Firefox mobile, it's gotten a LOT better and you can use Ublock on that as well. Plugins work!

The photo thing is fine, to my knowledge this is just a browser exploit.


You're welcome
Novelkeys NK65AE w/62g Zilents/39g springs
More
62g Zilents/lubed/Novelkeys 39g springs, HK Gaming Thick PBT caps, Netdot Gen10 magnetic cable, pic
| Filco MJ2 L.E. Vortex Case, Jailhouse Blues, heavily customized
More
Vortex case squared up/blasted finish removed/custom feet/paint/winkey blockoff plate, HID Liberator, stainless steel universal plate, 3d printed adapters, Type C, Netdot Gen10 magnetic cable, foam sound dampened, HK Gaming Thick PBT caps (o-ringed), Cherry Jailhouse Blues w/lubed/clipped Cherry light springs, 40g actuation
| GMMK TKL
More
w/ Kailh Purple Pros/lubed/Novelkeys 39g springs, HK Gaming Thick PBT caps, Netdot Gen10 Magnetic cable
| PF65 3d printed 65% w/LCD and hot swap
More
Box Jades, Interchangeable trim, mini lcd, QMK, underglow, HK Gaming Thick PBT caps, O-rings, Netdot Gen10 magnetic cable, in progress link
| Magicforce 68
More
MF68 pcb, Outemu Blues, in progress
| YMDK75 Jail Housed Gateron Blues
More
J-spacers, YMDK Thick PBT, O-rings, SIP sockets
| KBT Race S L.E.
More
Ergo Clears, custom WASD caps
| Das Pro
More
Costar model with browns
| GH60
More
Cherry Blacks, custom 3d printed case
| Logitech Illumininated | IBM Model M (x2)
Definitive Omron Guide. | 3d printed Keyboard FAQ/Discussion

Offline Leslieann

  • * Elevated Elder
  • Thread Starter
  • Posts: 4513
Re: the Google/Youtube/LTT/Tesla/crypto scam (widespread and really bad)
« Reply #6 on: Sat, 25 March 2023, 23:28:47 »
Doesn't Google/Youtube hash the user's IP address in the session token?

See what I wrote above about how it gets activated, I guess I failed to explain it very well in the original post. I was trying to condense it and it's just a lot to cover and after spending far too long editing I just hit send.

As for the I.P.
Google tracks the Ip, but not in the Chromium token, only at the server level for ad serving purposes, UNLESS you're on a browser that isn't Chromium based, then they do, again this goes back to them weaponizing this against Firefox. Log in while out your area and OOPS you need to log in, "Hate to login, use Chrome and you wouldn't have needed to!" It's paraphrased, but yes, they were promoting Chrome that way.

Just my opinion here, but Google doesn't really care about YOUR security only theirs and their ability to track you for serving you ads. Adding an IP to the token means more bits to transfer and verify each time you connect and since the server you connect to tracks your IP and they run tracking on 80% of the internet and control 80% of the browser market, why should they burden themselves with yet another IP tracker and verification. Especially when the device was already "authenticated", I mean, it has a token right, so it must be safe.

I guess no one considered a device being hacked or stolen... 
I even tried explaining these problems over a year ago to a network admin who couldn't understand that that just because a device was authenticated and approved doesn't mean it's the same person operating said device, I knew then we were in deep sh*t and it was only a matter of time before something like this happened.


Side rant, this is why it's bad for one browser/OS/whatever to be so dominant, especially by a major corporation who only cares about money, they play hard and loose and you suffer.
Novelkeys NK65AE w/62g Zilents/39g springs
More
62g Zilents/lubed/Novelkeys 39g springs, HK Gaming Thick PBT caps, Netdot Gen10 magnetic cable, pic
| Filco MJ2 L.E. Vortex Case, Jailhouse Blues, heavily customized
More
Vortex case squared up/blasted finish removed/custom feet/paint/winkey blockoff plate, HID Liberator, stainless steel universal plate, 3d printed adapters, Type C, Netdot Gen10 magnetic cable, foam sound dampened, HK Gaming Thick PBT caps (o-ringed), Cherry Jailhouse Blues w/lubed/clipped Cherry light springs, 40g actuation
| GMMK TKL
More
w/ Kailh Purple Pros/lubed/Novelkeys 39g springs, HK Gaming Thick PBT caps, Netdot Gen10 Magnetic cable
| PF65 3d printed 65% w/LCD and hot swap
More
Box Jades, Interchangeable trim, mini lcd, QMK, underglow, HK Gaming Thick PBT caps, O-rings, Netdot Gen10 magnetic cable, in progress link
| Magicforce 68
More
MF68 pcb, Outemu Blues, in progress
| YMDK75 Jail Housed Gateron Blues
More
J-spacers, YMDK Thick PBT, O-rings, SIP sockets
| KBT Race S L.E.
More
Ergo Clears, custom WASD caps
| Das Pro
More
Costar model with browns
| GH60
More
Cherry Blacks, custom 3d printed case
| Logitech Illumininated | IBM Model M (x2)
Definitive Omron Guide. | 3d printed Keyboard FAQ/Discussion

Offline Findecanor

  • Posts: 5035
  • Location: Koriko
Re: the Google/Youtube/LTT/Tesla/crypto scam (widespread and really bad)
« Reply #7 on: Sun, 26 March 2023, 05:45:01 »
That "link" in the email may not be a link to a domain that downloads the file, it can be a link to the attached file.
So they attach a file named "Google.com" and put a link in the email to the attachment. Then when you hover it with a mouse it looks like a link to Google.com (note the lack of http). You click, it launches.
WTF ! Who designed it that way?

Offline Darthbaggins

  • Posts: 644
  • Location: Acworth, GA
  • PC Cannibal
Re: the Google/Youtube/LTT/Tesla/crypto scam (widespread and really bad)
« Reply #8 on: Sun, 26 March 2023, 13:05:54 »
Another reason not to click random links in emails - even from trusted sources.  I have to school my mom and family members on this constantly, so far my 8yr old son is the best at listening and schools his friends when they come over lol.  Errant links like this are how City Govt's have been getting ransomware/hacked as well (I know we had to do a full refresh for City of Atlanta, and the tool that caused it still works w/ the city).

 bkrownd:"Those damned rubber chiclet keys are the devil's nipples."   >:D



Offline PlayBox

  • Posts: 199
Re: the Google/Youtube/LTT/Tesla/crypto scam (widespread and really bad)
« Reply #9 on: Sun, 26 March 2023, 13:17:44 »
honestly this is terryfying even more terryfying than i thought it is i guess ill just switch to firefox (ill still use google stuff as long as im safe from that)
propably sent from my amazon kindle 10th gen

Offline Leslieann

  • * Elevated Elder
  • Thread Starter
  • Posts: 4513
Re: the Google/Youtube/LTT/Tesla/crypto scam (widespread and really bad)
« Reply #10 on: Sun, 26 March 2023, 15:27:35 »
WTF ! Who designed it that way?
It's the Apple-fication of computers.
I mean, really it's not stupid from a user standpoint, unfortunately it's also a perfect attack vector.


honestly this is terryfying even more terryfying than i thought it is i guess ill just switch to firefox (ill still use google stuff as long as im safe from that)
I've been doing I.T. for a long time, worked breaches, done penetration testing, very little surprises or scares me like this does.

As for Google, I still use Android and have a copy of Brave (on phone and desktop) that I use for some things (I use multiple browsers), it's fine to keep using them for some things, but once migrated I would highly recommending you purge as much data as you can from them once you're happy.

People are out there ragging on LTT for the breach but once you see how it works, it's easy to see how some low level employee, especially non-I.T. person at the company got caught by it.
Novelkeys NK65AE w/62g Zilents/39g springs
More
62g Zilents/lubed/Novelkeys 39g springs, HK Gaming Thick PBT caps, Netdot Gen10 magnetic cable, pic
| Filco MJ2 L.E. Vortex Case, Jailhouse Blues, heavily customized
More
Vortex case squared up/blasted finish removed/custom feet/paint/winkey blockoff plate, HID Liberator, stainless steel universal plate, 3d printed adapters, Type C, Netdot Gen10 magnetic cable, foam sound dampened, HK Gaming Thick PBT caps (o-ringed), Cherry Jailhouse Blues w/lubed/clipped Cherry light springs, 40g actuation
| GMMK TKL
More
w/ Kailh Purple Pros/lubed/Novelkeys 39g springs, HK Gaming Thick PBT caps, Netdot Gen10 Magnetic cable
| PF65 3d printed 65% w/LCD and hot swap
More
Box Jades, Interchangeable trim, mini lcd, QMK, underglow, HK Gaming Thick PBT caps, O-rings, Netdot Gen10 magnetic cable, in progress link
| Magicforce 68
More
MF68 pcb, Outemu Blues, in progress
| YMDK75 Jail Housed Gateron Blues
More
J-spacers, YMDK Thick PBT, O-rings, SIP sockets
| KBT Race S L.E.
More
Ergo Clears, custom WASD caps
| Das Pro
More
Costar model with browns
| GH60
More
Cherry Blacks, custom 3d printed case
| Logitech Illumininated | IBM Model M (x2)
Definitive Omron Guide. | 3d printed Keyboard FAQ/Discussion

Offline phinix

  • Posts: 2294
  • Location: Haggis Land
  • On a diet.. again.. don't ask...
Re: the Google/Youtube/LTT/Tesla/crypto scam (widespread and really bad)
« Reply #11 on: Sun, 26 March 2023, 17:12:42 »
right, so I understand this correctly - to get infected, you have to click on attachment or link in email's content?
Of course email must come from dodgy source, so any suspicious email accounts should be simply avoided. Is that correct?
9100 | 3070 | 8TB SSD + 2x 1TB SSD | Z390 Aorus Pro ITX | 16GB RAM | SFX 600W | Sentry 2.0 | Ruark Audio MR1 Mark II | LG OLED 48CX
Realforce 87u55 | CM QuickFire Rapid MX Blacks | NCR-80 87g Gateron Oil Kings | Logitech Pro Superlight
SA: Retro Petscii, 7bit Round6 'Symbiosis', Filco, Carbon Bone Cherry: GMK Laser, OG double shot caps, CRP APL GSA: Retro High-light HSA: Hyperfuse

::: Phinix Cube ::: Phinix Nano Tower ::: Phinix Aurora ::: Phinix Chimera ::: Phinix Retro :::

Offline Leslieann

  • * Elevated Elder
  • Thread Starter
  • Posts: 4513
Re: the Google/Youtube/LTT/Tesla/crypto scam (widespread and really bad)
« Reply #12 on: Sun, 26 March 2023, 20:13:07 »
right, so I understand this correctly - to get infected, you have to click on attachment or link in email's content?
Of course email must come from dodgy source, so any suspicious email accounts should be simply avoided. Is that correct?
Yes, but they can spoof email headers and such as well.
In LTT's case I believe it looked pretty legit and was "from" a company they do business with (Youtube).

As mentioned, go to the website direct, never click the link no matter how good or safe it looks unless it was an email you were expecting, them like for example creating an account or verifying another device or something.
Novelkeys NK65AE w/62g Zilents/39g springs
More
62g Zilents/lubed/Novelkeys 39g springs, HK Gaming Thick PBT caps, Netdot Gen10 magnetic cable, pic
| Filco MJ2 L.E. Vortex Case, Jailhouse Blues, heavily customized
More
Vortex case squared up/blasted finish removed/custom feet/paint/winkey blockoff plate, HID Liberator, stainless steel universal plate, 3d printed adapters, Type C, Netdot Gen10 magnetic cable, foam sound dampened, HK Gaming Thick PBT caps (o-ringed), Cherry Jailhouse Blues w/lubed/clipped Cherry light springs, 40g actuation
| GMMK TKL
More
w/ Kailh Purple Pros/lubed/Novelkeys 39g springs, HK Gaming Thick PBT caps, Netdot Gen10 Magnetic cable
| PF65 3d printed 65% w/LCD and hot swap
More
Box Jades, Interchangeable trim, mini lcd, QMK, underglow, HK Gaming Thick PBT caps, O-rings, Netdot Gen10 magnetic cable, in progress link
| Magicforce 68
More
MF68 pcb, Outemu Blues, in progress
| YMDK75 Jail Housed Gateron Blues
More
J-spacers, YMDK Thick PBT, O-rings, SIP sockets
| KBT Race S L.E.
More
Ergo Clears, custom WASD caps
| Das Pro
More
Costar model with browns
| GH60
More
Cherry Blacks, custom 3d printed case
| Logitech Illumininated | IBM Model M (x2)
Definitive Omron Guide. | 3d printed Keyboard FAQ/Discussion

Offline tp4tissue

  • * Destiny Supporter
  • Posts: 13551
  • Location: Official Geekhack Public Defender..
  • OmniExpert of: Rice, Top-Ramen, Ergodox, n Females
Re: the Google/Youtube/LTT/Tesla/crypto scam (widespread and really bad)
« Reply #13 on: Sun, 26 March 2023, 22:28:38 »
took all day..   just nvked it all, everything that doesn't need performance all running vm-ware now.

rote a quick script, it just extracts from a single hardened archive right before initializing vmware on regular windoz.

there are software out there to do this, but i figured because this is a jank setup, no one's gonna bother to hack this exact arrangement of jank.



Offline phinix

  • Posts: 2294
  • Location: Haggis Land
  • On a diet.. again.. don't ask...
Re: the Google/Youtube/LTT/Tesla/crypto scam (widespread and really bad)
« Reply #14 on: Mon, 27 March 2023, 03:07:24 »
right, so I understand this correctly - to get infected, you have to click on attachment or link in email's content?
Of course email must come from dodgy source, so any suspicious email accounts should be simply avoided. Is that correct?
Yes, but they can spoof email headers and such as well.
In LTT's case I believe it looked pretty legit and was "from" a company they do business with (Youtube).

As mentioned, go to the website direct, never click the link no matter how good or safe it looks unless it was an email you were expecting, them like for example creating an account or verifying another device or something.

Yeah, cool. I dont click links or attachments anyway, so should be ok :)
9100 | 3070 | 8TB SSD + 2x 1TB SSD | Z390 Aorus Pro ITX | 16GB RAM | SFX 600W | Sentry 2.0 | Ruark Audio MR1 Mark II | LG OLED 48CX
Realforce 87u55 | CM QuickFire Rapid MX Blacks | NCR-80 87g Gateron Oil Kings | Logitech Pro Superlight
SA: Retro Petscii, 7bit Round6 'Symbiosis', Filco, Carbon Bone Cherry: GMK Laser, OG double shot caps, CRP APL GSA: Retro High-light HSA: Hyperfuse

::: Phinix Cube ::: Phinix Nano Tower ::: Phinix Aurora ::: Phinix Chimera ::: Phinix Retro :::

Offline Leslieann

  • * Elevated Elder
  • Thread Starter
  • Posts: 4513
Re: the Google/Youtube/LTT/Tesla/crypto scam (widespread and really bad)
« Reply #15 on: Mon, 27 March 2023, 13:09:47 »
right, so I understand this correctly - to get infected, you have to click on attachment or link in email's content?
Of course email must come from dodgy source, so any suspicious email accounts should be simply avoided. Is that correct?
Yes, but they can spoof email headers and such as well.
In LTT's case I believe it looked pretty legit and was "from" a company they do business with (Youtube).

As mentioned, go to the website direct, never click the link no matter how good or safe it looks unless it was an email you were expecting, them like for example creating an account or verifying another device or something.

Yeah, cool. I dont click links or attachments anyway, so should be ok :)

For now.
Just wait for V2 or v3 of this when it becomes drive-by malware or self activates in Outlook/Windows Mail.
Novelkeys NK65AE w/62g Zilents/39g springs
More
62g Zilents/lubed/Novelkeys 39g springs, HK Gaming Thick PBT caps, Netdot Gen10 magnetic cable, pic
| Filco MJ2 L.E. Vortex Case, Jailhouse Blues, heavily customized
More
Vortex case squared up/blasted finish removed/custom feet/paint/winkey blockoff plate, HID Liberator, stainless steel universal plate, 3d printed adapters, Type C, Netdot Gen10 magnetic cable, foam sound dampened, HK Gaming Thick PBT caps (o-ringed), Cherry Jailhouse Blues w/lubed/clipped Cherry light springs, 40g actuation
| GMMK TKL
More
w/ Kailh Purple Pros/lubed/Novelkeys 39g springs, HK Gaming Thick PBT caps, Netdot Gen10 Magnetic cable
| PF65 3d printed 65% w/LCD and hot swap
More
Box Jades, Interchangeable trim, mini lcd, QMK, underglow, HK Gaming Thick PBT caps, O-rings, Netdot Gen10 magnetic cable, in progress link
| Magicforce 68
More
MF68 pcb, Outemu Blues, in progress
| YMDK75 Jail Housed Gateron Blues
More
J-spacers, YMDK Thick PBT, O-rings, SIP sockets
| KBT Race S L.E.
More
Ergo Clears, custom WASD caps
| Das Pro
More
Costar model with browns
| GH60
More
Cherry Blacks, custom 3d printed case
| Logitech Illumininated | IBM Model M (x2)
Definitive Omron Guide. | 3d printed Keyboard FAQ/Discussion

Offline Darthbaggins

  • Posts: 644
  • Location: Acworth, GA
  • PC Cannibal
Re: the Google/Youtube/LTT/Tesla/crypto scam (widespread and really bad)
« Reply #16 on: Tue, 28 March 2023, 10:14:50 »
right, so I understand this correctly - to get infected, you have to click on attachment or link in email's content?
Of course email must come from dodgy source, so any suspicious email accounts should be simply avoided. Is that correct?
Yes, but they can spoof email headers and such as well.
In LTT's case I believe it looked pretty legit and was "from" a company they do business with (Youtube).

As mentioned, go to the website direct, never click the link no matter how good or safe it looks unless it was an email you were expecting, them like for example creating an account or verifying another device or something.

Yeah, cool. I dont click links or attachments anyway, so should be ok :)

For now.
Just wait for V2 or v3 of this when it becomes drive-by malware or self activates in Outlook/Windows Mail.

That's where I would get more worried as that would cause major disruption in businesses/Corps

 bkrownd:"Those damned rubber chiclet keys are the devil's nipples."   >:D