I recently heard about an interesting hack that was targeting software developers, especially those on Linux. It basically tricks developers into installing malware on their computer by way of a fake job interview and downloading code from a public code repository.
During an initial call, the fake company asks you to complete a software development exercise by downloading a project from GitHub. The project, which contains a ZIP file, has a seemingly benign non-executable file named something like “readme․pdf” except that the dot, in the filename, isn’t a simple dot/period but rather a symbol that looks like a period such as U+2024. In other words, the OS doesn’t see a file extension (PDF in this example).
When the developer double clicks on the file, it executes. Typically, on Linux, a user must manually chmod a downloaded file to set the executable flag (i.e. chmod +x readme․pdf). However, since this filed was embedded in a ZIP file, the executable meta data can be preserved. Also, a password is sometimes added to the ZIP file so even smart virus protection software can’t scan the ZIP file.
This is a Homograph Attack using Unicode Deception. Two things to be suspicious of this attack is the zipping of small-sized files and the password on a ZIP.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.