Mastodawn

Developers, please be careful when installing Homebrew. Google is serving sponsored links to a Homebrew site clone that has a cURL command to malware. The URL for this site is one letter different than the official site.

Note: Google allows the ad sponsors to specify an URL that will be displayed on the ad (original brew.sh here), but the click takes you to the malware domain brewe.sh.

#Apple #HomeBrew #Google #MacOS

Ryan Chenkie (@ryanchenkie) on X

⚠️ Developers, please be careful when installing Homebrew. Google is serving sponsored links to a Homebrew site clone that has a cURL command to malware. The URL for this site is one letter different than the official site.

X (formerly Twitter)

Steven Reed Jan 19

@kravietz @Szescstopni fixed now apparently, but still a bit of a "WTF?" From the Xitter thread: ""That's how Google ads work because there are often tracking links. Google will audit this within 24 hours of links being changed but it was likely an established account that got hijacked with these 2fa spam messages"

kravietz 🦇Jan 19

@srtcd424 @Szescstopni BTW the website works 100% and it’s not detected by any antivirus

https://www.virustotal.com/gui/url/5c95e6d7451a9392f24704598df9213f528f29553b4d32dfdcec383e1514042d/community

VirusTotal

VirusTotal

Martin Seeger Jan 19

kravietz 🦇Jan 19

That’s how Google ads work because there are often tracking links

Exactly, people explain this like that was 100% normal and expected 😂

Samerion Jan 20

@srtcd424 @kravietz @Szescstopni And do they not bother to make an automated check through DNS before deploying the ad? Or requiring the same domain??

Ihar Filipau Jan 19

Outright evil.

vollkorntomate 🇪🇺🏳️‍🌈Jan 19

@kravietz On iOS, Safari already warns about it being a potentially fraudulent site.
However, not on macOS, which I guess would be the more important one.

Saupreiss #Präparat500 Jan 19

Ad Networks are simply a security hazard and should be treated like that.

@kravietz This reminds me of a similar time where a malware site popped up for OBS (software largely used by streamers). They did the exact same thing where they used Google ads to get their malicious URL to the top of the search results.

It baffles me that Google lets people *do* this.

Laloutre Jan 20

@pepyo @kravietz lol, we asked google, through our own adwords account manager, with police complaint report and other proof provided, to block an ad campaign to a malicious domain pretending to be us and scamming people (real money scam, not just virus installation), and they said no, because they need a judge order to do that. As if they don't just randomly block whatever they want... As long as the scammer pays, google protect.

Speed demon 🇪🇺 🇳🇴🇺🇦Jan 20

@Laloutre
Google is blackmailing you to buy the add words.
@pepyo @kravietz

@Laloutre @pepyo @kravietz
True! And now it's obvious that they were opposing SOPA/PIPA not because they are firm believers in "Information wants to be free", but because they benefit hugely from actual piracy, scams and all that!

kravietz 🦇Jan 20

And yet, it just takes a few dozens of Russian trolls to send coordinated complaints and get a random video or even whole channel deleted from YouTube 🤷

@kravietz is there any sense of how long that’s been the case? I don’t use Google myself but I worry for folks in my circles

Quinn9282 🖥️🌙✌️Jan 19

@ramiro @kravietz It's been an ongoing problem for years now, yet Google's done little to nothing about it. Using an ad blocker should prevent the sponsored search results from showing up.

hardyjohnson Jan 19

@kravietz don’t worry Homebrew have conditioned everyone to just copy a curl pipe to shell command into their terminal, what could go wrong?

bazzargh Jan 20

@hardyjohnson @kravietz this makes me wonder if there's a way to get curl to use an allow list for hosts; if I haven't put it in the list, it doesn't connect. would make me scrutinize anything that didn't work more.

I can't see an option directly, but I think a script wraapper that removed any proxy/noproxy options, added an unresolvable proxy (eg, notinallowlist.local), and then noproxied the allow-list would do it.

tested it, that works. Let's see how annoying this wrapper gets

Skullvalanche Jan 20

@bazzargh @hardyjohnson @kravietz Piping to shell is _never_ safe.

https://web.archive.org/web/20250109045029/https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/

TLDR: it's possible for a malicious site to server-side detect if the script is being curl-piped-to-bash and serve up a different script than the one you think you're getting.

Detecting the use of "curl | bash" server side | Application Security

Another reason not to pipe from curl to bash. Detecting curl | bash serverside.

bazzargh Jan 20

@skullvalanche @hardyjohnson @kravietz I know this. And I can't catch native code, or python, for example, downloading stuff. But bash+curl is low hanging fruit, a script that sneaks in a curl can be caught, so why not? we shouldn't just throw up our hands and say we'll be more careful in future when it's easy to prevent.

Ben Ramsey Jan 20

@hardyjohnson @kravietz YES! SO MUCH THIS!!! 🙌

blaue_Fledermaus Jan 20

@hardyjohnson @kravietz
For someone less familiar with with it, don't most Linux command line installations look like "copy and paste this random commands"?
How is that homebrew's fault?

hardyjohnson Jan 20

@blaue_Fledermaus @kravietz

It would be incomplete to mention that my snarky comment does not address the original post, rightfully pointing out a shady business practice of Google's (which has enabled many a typo domain to steal website ranking and distribute malware).

Homebrew is a well maintained open source project! Their maintainers pay for independent security audits and take action on security incidents.

1/x

hardyjohnson Jan 20

@blaue_Fledermaus @kravietz

Homebrew is particularly susceptible to this type of typo squatting attack due to the fact it is popular and uses this installation method as its default.

It is not more susceptible than other package managers or installation scripts that use this installation method.

Homebrew does however provide tarballs which can be unzipped w/o the executable installer script which is nice.

Its not really about blame, but one example of a particularly dangerous exploit.

/end

@blaue_Fledermaus @hardyjohnson @kravietz No, most Linux command line installations look like asking the package manager to install it. The package manager uses a standard set of online archives, and downloads are verified cryptographically. Kinda like the Mac app store, in fact.

blaue_Fledermaus Jan 21

@mathew
Yes, but for someone unfamiliar it just looks random.
@hardyjohnson @kravietz

@blaue_Fledermaus @hardyjohnson @kravietz What I'm saying is that installing stuff on Linux doesn't generally involve pasting random stuff into a terminal.

https://www.techdrivein.com/2016/04/new-ubuntu-software-center-1604-xenial.html

Meet the brand new Ubuntu Software Center in Ubuntu 16.04 LTS

Finally! Ubuntu Software Center (USC) has always been one of *the* most bloated of all default Ubuntu apps, I couldn't even remember the la...

blaue_Fledermaus Jan 21

@mathew
At least in my experience, a lot of software related to programming is not directly available in the app stores, usually the official documentation and other tutorials only give terminal commands (sometimes outdated).
Only rarely there's a (not officially supported) flatpack or snap.
@hardyjohnson @kravietz

@blaue_Fledermaus @hardyjohnson @kravietz True, but people engaged in programming should know better than to pipe curl to sh. Often there's another way to install.

blaue_Fledermaus Jan 21

@mathew
It may be nice to know, but I just want to get the thing running to get going with my work.
Just give me a link to the store with a install button, or a flatpack, snap, or deb.
Maybe when tinkering on my free time.

@blaue_Fledermaus Absolutely agree, software should be packaged properly for Linux.

@kravietz That is why the best anti-malware software I install on all my clients' computers is @ublockorigin with a good filter list (or a filter-syntax- and feature-compatible ad blocking Chrome-like browser for those who prefer).

#uBlockOrigin, because Google won't direct any of their #surveillanceCapitalism capacity toward scrutinizing the advertiser rather than the user.

Quinn9282 🖥️🌙✌️Jan 19

@kravietz "Google allows the ad sponsors to specify an URL that will be displayed on the ad (original brew.sh here), but the click takes you to the malware domain brewe.sh."

WAIT WHAT?!!!! 🤯

Google let's advertisers change how a URL is displayed on an ad even when it differs from the actual linked page after clicking on the ad??!! Why in the actual fucking shit is that even a feature??!! 😡 🤬

@Quinn9282 @kravietz That's wild, I don't understand what the reason is for this feature to exist. Even if they allow specifying different URLs, they should at least check you own that domain.

Ben Ramsey Jan 20

@Quinn9282 @kravietz The answer is that it’s so you can use a tracking URL to redirect people to your site. This isn’t a good reason, though. In fact, it’s a really, really bad reason.

Världens bästa Kille™Jan 20

@ramsey @Quinn9282 @kravietz Tracking, landing pages, what have you. Also Google wants to set the bar as low as possible. They do not want to kill more ads than is absolutely necessary.

If it took skill, real marketing know how and so forth, to advertise Google wouldn’t make any money. They need it to be simple.

The real question is this:

How are Google (and others) not held legally responsible for the ads they publish?

@Quinn9282 @kravietz i think that's *always* been a thing, ever since google started selling search ads

ocdtrekkie Jan 19

@kravietz Long past time people understand "ad company" is synonymous with "malware distributor" and nobody who claims to do security should ever touch anything the company puts out.

Łukasz Bromirski

@kravietz another reason to use normal search engine, like @kagihq - highly recommend!

Dima Pasechnik 🇺🇦 🇳🇱Jan 19

@kravietz but first of all, thank Apple for not supplying a proper package manager with their toolchains!

NKTSecurity Jan 20

@kravietz the life of a modern hack, eh? The Google dev on twitter will likely fix it now.
But yes, a modern hack ~45 minutes from first report to solution/mitigation, but who knows how many devs had their boxes compromised by that malware cURL? And hopefully Google'll fix it properly and permanently this time.

kravietz 🦇Jan 20

@Dss Google dev is nobody when faced with Google manager from AdSense profit generating branch 😉

NKTSecurity Jan 21

@kravietz sadly true. That's one bad actor stopped, but if it gets in the way of a 0.000003% profit boost from increased ad spend to their $10 billion profits, it might get reversed.

@Dss @kravietz They won't fix it, they'll take down this single ad campaign.
This issue has existed for years, a number of times I've gotten sponsored ads that purported to by from Google's own product, youtube, include a link indicating www.youtube.com that actually redirected to malware. They do not care, they make money on these malware campaigns, and when someone reports them and they're taken down, they do not refund the originators funds, so it becomes doubly profitable.

NKTSecurity Jan 30

@TechSupport @kravietz Yeah, that was my take too.
"It's very hard to make a man see that something is wrong if his salary depends on it being right" or whatever that quote is.

@kravietz I remember I got some with that one back in the day with a fake iTunes download site

@kravietz wow google

*looks at you 俺ly*Jan 20

@kravietz im imagining someone there asking gemini if disabling this would reduce ad revenue and it said "yea" so they didn't

Furbland's Very Cool Mastodon™Jan 20

@kravietz the registrar's abuse email is abuse@dynadot.com if anyone wants to send a complaint

@kravietz@agora.echelon.pl @dalias look, it's an example in the wild why we shouldn't curl into sh.

crypticcelery 🔜 GPN Jan 20

@puppygirlhornypost2 @kravietz ah yes, the wonderful omnipresent curl sh antipattern.

Chris‌‬ Hayes‌Jan 20

@kravietz Mmmm, spicy.
https://www.joesandbox.com/analysis/1594700/0/html

Automated Malware Analysis Report for - Generated by Joe Sandbox

Automated Malware Analysis - Joe Sandbox Analysis Report

Chris‌‬ Hayes‌Jan 20

@kravietz I asked ChatGPT what the osascript is doing—
"This malicious macOS script steals sensitive data like browser cookies, saved passwords, wallet files, and app data (Safari, Chrome, Firefox, Telegram, Notes). It compresses the data into a ZIP file and uploads it to a remote server. It uses system commands to bypass security, extract keychain passwords, and trick users into entering credentials. After exfiltration, it deletes traces to avoid detection."

@kravietz DuckDuckGo & kagi.com both get it right. Maybe time to change your search engine. 😏

Clare 🏴Jan 20

@kravietz 🙄 WTF?

@kravietz why the fuck do they allow that without verifying that you also own that url???

Gabriel N Jan 20

@Ember @kravietz

$$$

Christmas Tree Jan 20

@kravietz "Google allows the ad sponsors to specify an URL that will be displayed on the ad"

What POSSIBLE legitimate reason could there be for this????

ACsonofDC Jan 20

@christmastree @kravietz the only thing that makes any sense - more greenbacks for them

kravietz 🦇Jan 20

@christmastree I wouldn’t call it legitimate but the sole purpose why this exists is that many companies want to display their TLD like example.com in the ad but in reality the click will take you to some kind of tracking company with ugly URL, which they don’t want people to see because no sane person would click on it.

Mayday! Mayday! Robot Jan 20

@kravietz Ad blockers are a necessary security policy