Fake MAS Windows Activation Domain Used To Spread PowerShell Malware (bleepingcomputer.com) 35
An anonymous reader shares a report: A typosquatted domain impersonating the Microsoft Activation Scripts (MAS) tool was used to distribute malicious PowerShell scripts that infect Windows systems with the 'Cosmali Loader'. BleepingComputer has found that multiple MAS users began reporting on Reddit yesterday that they received pop-up warnings on their systems about a Cosmali Loader infection.
Based on the reports, attackers have set up a look-alike domain, "get[dot]activate[dot]win," which closely resembles the legitimate one listed in the official MAS activation instructions, "get[dot]activated[dot]win." Given that the difference between the two is a single character ("d"), the attackers bet on users mistyping the domain.
Based on the reports, attackers have set up a look-alike domain, "get[dot]activate[dot]win," which closely resembles the legitimate one listed in the official MAS activation instructions, "get[dot]activated[dot]win." Given that the difference between the two is a single character ("d"), the attackers bet on users mistyping the domain.
If you need to "activate" your operating system... (Score:2, Insightful)
Re: (Score:2)
came here to say this but with slightly different snark
e.g. now do the official site
Re: (Score:2)
You are truly running the dumbest ad campaign of all time
Re: (Score:3, Interesting)
average linux user, stereotypes exist for reasons
because of this i am installing 11 more windows 11 machines just for your shit attitude
Re:It's almost 2026 (Score:5, Insightful)
If you are still tethering yourself to proprietary software and anti cheat enshittified games
The reason for malware is has nothing to do with the fact that Windows is proprietary. Linux users are just as much subject to these kind of attacks.
The main issue is that Windows ships with admin/dev tools such as Powershell, Start+Run, and command prompt - that Windows users do not understand, but social engineering attacks can persuade the users to do dangerous things. Such as paste clipboard commands into it.
Linux does not improve in this area... in fact; Linux makes it worse.
Sure; Windows Powershell:
irm (URL) | iex from a Powershell prompt is dumb shit.
URL can be Easily typo'd, and there is no verification or confirmation. It's blind trust and run arbitrarily whatever comes in over HTTPS.
But Linux users will follow instructions to do something that is just as much dumb shit called:
curl (https://linkshortner) | bash
Or even dumber:
curl (URL) | sudo bash
curl (URL) | pkexec bash
Whatever.
If you think for a minute the same kind of typosquating and ClickFix exploits are not actively exploiting Unix/Linux users too, then I got extremely bad news for you. Linux may actually fare worse than Windows in this area. At least in the Windows world - a couple more manual steps are usually required to elevate.
Re: (Score:3)
The main issue is that Windows ships with admin/dev tools such as Powershell, Start+Run, and command prompt - that Windows users do not understand, but social engineering attacks can persuade the users to do dangerous things. Such as paste clipboard commands into it.
If you ever try to run office365 from firefox with script blocker: Microsoft uses 5-10 different domains (live[dot]com, live365[dot]com, office[dot]com, office365[dot]com, microsoft[dot]com, ...) for an online word processor. Domain names used to load scripts from change wildly between authentication, actual application and surrounding feature set, few people will ever be able to tell, which domain is held by Microsoft or some other malicious entity. A domain name (especially with a TLS trust chain) used to
Re: (Score:2)
few people will ever be able to tell, which domain is held by Microsoft or some other malicious entity.
A query of domain against the WHOIS service generally answers the question.
If the registrar is MarkMonitor, then you can guarantee the legitimate registrant is at least an enterprise if not Microsoft.
The bigger concern people should have is that any one legitimate domain can become compromised by a malicious entity.
Due to the legitimate entity failing to keep up to date all SMTP security requirements, etc
Re: (Score:2)
few people will ever be able to tell, which domain is held by Microsoft or some other malicious entity.
A query of domain against the WHOIS service generally answers the question. If the registrar is MarkMonitor, then you can guarantee the legitimate registrant is at least an enterprise if not Microsoft.
This is nice for us to know, but Joe Shmoe Microsoft user will not be able to make that determination and can, unfortunately, not rely on amateur level sanity checks "the message comes from microsoft.com, so it's probably legit". This is what we teach our friends and relatives "no, USPS/DHL/UPS won't contact you from an delewareflowers.com domain". And Microsoft actively destroys this one bit of helpful information through their pathetic domain name setup.
Due to the legitimate entity failing to keep up to date all SMTP security requirements, etc, such as NS records, DMARC, SPF management records, for all domains.
Or for that matter failure to manage what URL endpoints may exist behind every domain; allowing for exposures by way of some obscure outdated URL endpoint allowing an Arbitrary redirect or HTML content return. Such as the old https://example.com/?content=X... [example.com] returns a document with exactly raw content XYZ; vulnerability.
We wouldn't need any of these, at least in this case
Re: (Score:2)
We wouldn't need any of these, at least in this case here, if the link contained therein pointed to a domain, which even imbeciles could positively identify as legit. No, get[dot]activate[dot]win" does not fit into this category.
The activate(d) dot win domain, Or whatever the heck it is.. or anything similar is Not domain Microsoft ever pointed anyone too anyways.
I would dare say this entire article is about a Tool used for software piracy being impersonated by A different type of pirate.
People trying to
Re: (Score:2)
Thank you for calling this out.
The fact that these one-liner installers are becoming an increasingly common method of installing software is utterly insane - and even more dangerous.
The solution (probably) isn't to lock down OSes to prevent this. But at a minimum, developers need to be tapped with a pitchfork for trying to officially distribute their software in this fashion. Doing so is normalizing bad habits.
One of many examples: the official installation instructions for the Deno JS runtime [deno.com] are one-liner
Re: (Score:3, Insightful)
Re: (Score:3)
Your completely shit attitude does nothing to change Windows itself *is* malware anymore.
Re: (Score:2)
Re: (Score:2)
What the other commenter completely ignored is that I am NOT saying that Windows (currently version 11) would be the best option, far from it. What I am saying is that Linux is failing to be a viable alternative for the average Joe, because if you have three Linux developers arguing about how they should make a desktop, you end up with three distinct desktops where none of them are good enough, thus forcing th
Re: (Score:2)
No you don't. You end up with three distinct desktops where none of them are perfect for everyone, but where everyone can find one that works for them (and everyone can find one that is perfect for what they want to do, though they may have to look beyond those specific three). And if you gave the average Joe any of them, put on a theme that vague
Re: (Score:2)
Tip: We will have a Linux desktop truly capable of replacing Windows when Linux developers finally recognize what is good about Windows and copy those go
Re: (Score:2)
YOU want what you consider the good parts of Windows. You don't see many parts of Linux that are strengths FOR YOU. Linux doesn't replace Windows for you.
I'm sure that some developers won't work together because of ego, but a lot of the time it's because people don't all want/need the same things.
I didn't even say anything about my opinion about Windows, so I don't know how you can say I'm blind to its strengths. I guess
Re: (Score:2)
Same thing about the Linux desktop. Today we have more than 300 different distros (and counting), but even so, all of them combined don't account for 6% of the market. If Linux
Re: (Score:2)
Re: (Score:2)
90% of games run on proton now, you have plenty to play)
Thanks for gatekeeping which games I may or may not want to play fuckface.
Hmm, explains why I have (Score:3, Funny)
"Wicrosoft Mindows" installed.
Who owns .win TLD & its registry (Score:4, Interesting)
I thought vendor TLDs and the general proliferation of TLDs was supposed to make The Internet A Better Place (tm). Are you telling me that Microsoft uses .win but doesn't control it?
Re:Who owns .win TLD & its registry (Score:4, Insightful)
Don't you find they control enough things already?
Microsoft TLDs are: .azure .bing .hotmail .office .skype .windows .xbox
Complaint about it not being hosted on a .windows domain.
Control of the .win TLD
Registry Management
The .win top-level domain (TLD) is managed by Famous Four Media, which operates as the registry for this domain.
Delegation and Oversight
The .win TLD was delegated to the Root Zone on March 26, 2015, as part of ICANN's New gTLD Program. ICANN (the Internet Corporation for Assigned Names and Numbers) oversees the approval process for new TLDs and maintains the authoritative list of TLDs.
Purpose and Governance
The .win domain aims to create a dedicated space for online gaming resources, promoting consumer trust and choice within that sector. A Governance Council has been established to involve key stakeholders in the management and direction of the TLD.
This structure ensures that the .win TLD is not only managed effectively but also aligns with the interests of its user community.
Re: (Score:2)
The more I look at this, the less I understand it. This is not a Microsoft -product-, but it's used to activate -Microsoft products-?
Re: (Score:2)
I mentioned they could have used the .windows domain. Go figure.
That's correct. It fixes windows registration. (Score:2)
Windows registration is notoriously buggy, and regular just refuses to work. This script does a bunch of stuff to force registration.
I believe it works even if you don't have a key. Currently, the biggest use will be getting access to extended updates on Windows 10.
Re: (Score:2)
The more I look at this, the less I understand it. This is not a Microsoft -product-, but it's used to activate -Microsoft products-?
It is a *SCAM*. You exemplify why people fall for it.
Re: (Score:2)
Well, it matches my expectations for Microsoft. Scams have to be believable to work.
(No active Microsoft products here. I have one 12 year old Intel Mac that has a copy of Office for Mac on it, that I can boot up if there's something I can't read on the Mac. Plus I have a Windows 10 machine that I used for a bit of Arduino development. That too sits dead on a shelf.)
Re: (Score:2)
I agree that it's a bit much for Microsoft to control the *.win TLD. But that means they need to be very careful using it. Have a domain name ending in something that's clearly them and less likely to be confused, like *.microsoft.win, and have *that* completely under their control. (It would probably be simpler to just have a TLD of *.microsoft, which I wouldn't have any trouble with them controlling)