How to not get hacked: real example

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
they keep trying to hack me so might as well turn it into an educational video and workshop just receive this email from Blackmagic design which is the company behind the popular editing software DaVinci Resolve and this one is actually quite well formatted as you can see it's sent by Sarah white I hope this message finds you in High Spirits my name is Sarah and I'm the pr manager at Blackmagic design we're following your channel and would like to offer a partnership with us then it tells me about DaVinci Resolve it says they're interested in a full review or 60 second pre-roll I don't do either of those a lot of YouTubers do the price will vary depending on the type of advertising reply for more information thank you for exploring this opportunity this is actually the best formatted email I've ever seen from people trying to send me malware off the top there's nothing that's really suspicious over here except the domain now this could obviously be a PR firm's domain so that's not necessarily immediately a red flag but then if we go ahead and try to visit this as you'll see it's a weird Japanese website that has nothing to do with PR but I did reply to their email saying send me your offer and I got this in return so they sent you to a Google Drive Link and if you open it there's uh something called a YouTube deal which is a ZIP file and inside we have a promotional video and then the agreement.scr now one of the things we're going to do in this video is we're going to analyze these files and I'm going to tell you how you can tell if somebody's sending you malware Beyond just The Superficial indicators like the file type of course it shouldn't be an scr if it's a PDF but as you can see once you extract this it does look like a PDF and a lot of marketing exacts they are not going to know what an scr file type is they might think it's similar to PDF or some kind of document extension but of course on Windows this is going to act like a full executable application another thing to note is this size is 658 megabytes but one of things I want to do is to compare this contextually with an actual PDF file just to show you the differences so you understand how files work so this is a real PDF file Shakespeare's plays well thankfully they're not going to be encrypted by ransomware in this video but the interesting thing of course is since I have Edge as the default application they even show up differently I'm guessing this is trying to mimic the acrobat icon so if I had acrobat installed on this system they would probably look very similar but none of that really matters because if you look into the fall content you're going to be able to tell that these are entirely different things and I'm going to show you how so if we open up a hacks editor now this can be anything you can even open it up in notepad if you like but if we compare the actual bits of the data got both of them side by side I'm just going to go into analysis data comparison and we'll just tell it horizontally and that should be good and now you can actually see the data inside the file once it's decoded to text and you clearly see the differences one file starts with Mod PDF creator Mozilla 5.0 Macintosh Apple webkit so this is essentially giving us the metadata generation data for the PDF creation date this is what a PDF heading is going to look like the first bits of data when you actually read this on the other hand this other thing that may look like a PDF on the Outside Inside it starts with MZ those are actually the initials for the guy who came up with the MS-DOS executable format and then we've got this program cannot be run in DOS mode and then we've got a PE and then some other data now this is the starting signature of a portable executable format or an Exe on Windows and just like that by looking at the data inside an application the starting of the data you can tell what if file actually is now of course you could have done it much more easily just by going into properties and looking at the extension but you never know in the future they might find a way to mask that or make it even more confusing but this method is always going to work they cannot hide the actual signature inside the file they cannot change the actual false structure because then the application is not going to work if it's an actual PDF it's going to behave like a PDF now as usual another thing about this file is that most of it is empty space unlike the real PDF file which is filled with real data because guess what when we open this we've got tons of text in it all of this is data that needs to be stored whereas in this it's only pretending to be a 600 megabyte file so it can escape the scanners but the actual malicious code does not take up that much space so there's a little bit of code and then a bunch of crap at the very end in order to analyze this I'm just gonna try to find the tail of it and then delete the rest and then save it and you'll see how much size we're able to drop off that way say we start from here we're done and if we just go ahead and save it it's going to create a backup of course but uh it's going to take a while because we're deleting a ton of data here hundreds of megabytes literally but when it's done as you can see we've reduced the size to only 15 megabytes and what amazes me though is that it is still very easy to share such files via Google Drive Google hasn't found the technology to be able to scan large files inside archives and at the end of day it may never be possible to do that so this is going to be a very potent threat factor for everyone so if you're getting any kind of archive via Google Drive any kind of online cloud sharing platform do not open it especially if it's password protected because what that means is that the file cannot be analyzed if you must open it then at least do what I did and look into the actual contents of the file before you double click on it this may not work on people like me who did malware analysis as a job but if I was let's say a gaming YouTuber or even worse a cooking YouTuber somebody who's not necessarily spending a ton of time understanding files and things on Windows it would be very natural for me to just open up the agreement just to see what it is in the moment this is exactly how Linus got hacked one of his employees who again is a marketing exact may not be an expert on Tech ended up opening a similar file now every time I make one of these videos there's always a lot of comments saying well it's not really useful to me because what he said that mumbo jumbo it makes sense to you it does not make sense to me and I totally understand if you're a lay person and you're looking at this hex editor view you are not going to be able to make sense of the stuff that you're seeing unless you've studied file types you're not going to know that this is how a PDF starts and that this is how a peexe starts this is stuff you have to learn or you learn from experience but if you don't want to do that then you can obviously rely on a secondary source for the analysis so you can upload the file to vars total but of course it's going to be challenging if the file size exceeds 650 megabytes because firestool is not going to be able to analyze it I wonder why it's 658 megabytes and not 649 or 630. this is exactly what the attacker is counting on they're counting on the fact that you're not going to be able to analyze it on firestol the cloud scanners are not going to be able to analyze it because they're relying on similar apis and similar scanners they're going to have size limits and even your antivirus is not going to be able to do a quick Cloud lookup so if it's an AV like Windows Defender that heavily relies on cloud lookups you may not be able to look up a file that's this big and as a result it's going to bypass all of those defenses and go straight through but by using the technique I just showed you you can reduce the size and then it's going going to be analyzed by everybody it's also worth noting that this is why I recommend having a good real-time antivirus that's analyzing your processes because it's actually running on your system for real checking the actual code that's being executed and that is not the same as looking up a file in the cloud it's totally different thing technically but in any case just be really careful with password protected archives first Total is pulling up some nice detections for it a lot of scanners are detecting it Microsoft attacks it of course as a Trojan msil sotos Kaspersky Flags it as a stealer but that's still only 25 engines out of 70 that are able to detect this file even after I've reduced the size and this is again to show that the cloud implementation of engines is not really the best way to detect sophisticated malware often doesn't work now if we go ahead and run this with process Explorer open it's going to load up and disappear but what it it's doing essentially is trying to harvest all the credentials on this machine do its job very quickly send the data to the attackers may have realized it's just a virtual machine but essentially it's probably looking for browser credentials trying to see if my YouTube details are in there and it's going to send it straight to the attackers and then they can hack my YouTube channel maybe upload some crypto scams for you guys but hopefully this shows how difficult it can be sometimes to figure out if something is malicious or not and again I've worked as a malware analyst everybody's not going to have the experience to know each of these small details and the emails don't always look silly as you can see this is a pretty professional looking email it's not all that different from the standard sponsorship emails I got and I do get emails from domains that are not associated with the company because a lot of the times the companies have a PR agency or a third-party marketing agency that's doing sponsorships for them or acting on their behalf to get info influencers so it is not uncommon to get an email about a company ad that's not from that company itself the subject is a bit weird though advertising co-location with Blackmagic design and stuff collaboration well you know what now that there's chat GPT and everything else it's easier than ever to generate legit looking emails or legit looking sponsorship inquiries so even if the creators can't figure out how to learn English in 20 years they can just Outsource that problem to chat GPT I think it's going to be quite Insidious for scams so now more than ever having a little bit of in-depth understanding of how things work on your system is going to be invaluable so I hope you found this video helpful now we're going to do a lot more we're gonna do a real-time Workshop it's going to be set up as an event on the PC security Channel Discord I'd love for you to join in you can do it by going to discord.tpsc.tech or clicking the link in description and then you're gonna be redirected to the event event you can just select interested we will be doing it this Saturday 8pm London time so morning or afternoon in the states please like and share this video If you enjoyed it thank you so much for watching and now to our sponsor this video is brought to you by crowdsec an open source intrusion prevention system as we were just talking about getting hacked clouds that can prevent Hackers from accessing your network doing a Brute Force attack on your system DDOS stuff like that it is entirely free to join and use and it is a community-based solution they also recently launched crowdsec Academy which is a great way to learn more about this stuff they've different courses you can even get a little certification for each of these and these are going to teach you how to take full advantage of this open source tool how to write different parsers and scenarios for it it is multi-platform you can install it on Linux or Windows but as some of you have struggled with the Windows installation I'm gonna do it right here right now so we can download the latest MSI file from their GitHub up just a normal installer and once this is done there are a couple of additional steps you will need to create an account on their online platform and then you can go ahead and enroll a new security engine and this is the tricky part you're going to have to navigate to the crowdsack directory open new terminal here and then paste in that command and then when you refresh the page you're going to get a new request to enroll this machine onto your dashboard and once you do that boom you've got a brand new system we've got 37 scenarios built in for different cves different vulnerabilities backdoor attempts you can also decide to use certain block lists so you can browse through available block list so if I want to stop cyber crime related IPS from connecting to this computer I can just subscribe to the farhole tracker list as you can see this list contains command and control IP addresses by default though crowd set can only alert you if you wanted to block things automatically using the Windows Firewall you can go ahead and download the Windows Firewall balance sir this is also available on GitHub so all you have to do again is just download the setup run the installer and you're good to go you might want to restart the service to make sure everything is running that's pretty much the install process feel free to ask any questions during the workshop we're going to be doing don't forget to tune in on Saturday for that thank you so much for watching this is Leo and as always stay informed stay secure
Info
Channel: The PC Security Channel
Views: 388,796
Rating: undefined out of 5
Keywords: The PC Security Channel, TPSC, cybersecurity, cyber security, computer security, internet security, antivirus, anti malware, ransomware, trojan, virus, PUP, best antivirus, best internet security, learn cybersecurity, hacking, hack, security, technology, cyber insurance, cybersecurity degree, best EDR, EDR, how to not get hacked, youtube hack attempt, they tried to hack me, real example of hacking attempt, real example infostealer, malware analysis, don't get hacked, hacking tutorial
Id: 6K89f4zxMYw
Channel Id: undefined
Length: 13min 54sec (834 seconds)
Published: Fri Aug 04 2023
Related Videos
Getting Into Cyber Security: 5 Skills You NEED to Learn
Cyberspatial
2.6M
3 Levels of WiFi Hacking
NetworkChuck
1.7M
The Malware that hacked Linus Tech Tips
The PC Security Channel
1.5M
Is your PC hacked? RAM Forensics with Volatility
The PC Security Channel
900K
Top 5 Most Dangerous Ransomware
The PC Security Channel
210K
Don't Throw Your Old Sim Card Get Free Internet Wifi
TEST COMPARE
1.6M
OSINT | How to Gather Information on ANYONE!
AI Video Hub
10K
how hackers hack any website in 8 minutes 6 seconds?!
Loi Liang Yang
60K
How to know if your PC is hacked? Suspicious Network Activity 101
The PC Security Channel
1.2M
Where People Go When They Want to Hack You
CyberNews
1.2M
Why VPNs are a WASTE of Your Money (usually…)
Cyberspatial
1.4M
Detect Hackers & Malware on your Computer (literally for free)
John Hammond
292K
How you get Hacked: what attackers use today
The PC Security Channel
107K
Downloading and running the 100 Malware links
The PC Security Channel
170K
Best Browser Privacy? Edge vs Chrome vs Firefox vs Brave in Wireshark
The PC Security Channel
399K
15 Clear Signs Your Phone Was Hacked
BRIGHT SIDE
23M
Kaspersky vs 2000 Malware
The PC Security Channel
211K
DON'T USE GMAIL unless you make these 5 Critical Security Changes
All Things Secured
864K
Access Location, Camera & Mic of any Device 🌎🎤📍📷
zSecurity
2.2M
What Enterprise-Grade malware looks like
Eric Parker
48K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.