Suman Garai, CC, shares some first-hand experience as he explains that it can happen to anyone, even a cybersecurity professional.

Let’s start with some context – who am I and why am I here? My name is Suman. I’m studying for a degree in Computer Applications, and I’m pretty passionate about cybersecurity. I also recently passed my ISC2 Certified inCybersecurity (CC) exam. However – despite my cybersecurity awareness – I’m also the recent victim of a fake download site. Knowing that even someone who knows to take precautions can be caught out, I’d like to share the details of my experience (and the lessons I learned) so you can help protect yourselves and your users.

Fake download sites pose a serious and subtle threat to unsuspecting users by luring them in with the prospect of free or hard to find content while surreptitiously distributing malicious malware and engaging in nefarious activities. Falling prey to these deceptive sites can result in significant consequences that encompass various aspects of an individual or organization:

  • loss of data, privacy and security; identity theft
  • financial losses
  • reputational damage
  • extended damage to contacts, networks and organizations
  • financial penalties
  • legal proceedings

How Did This Happen to Me

Cybercriminals use deceptive tactics, creating fake download sites that deceive people from all backgrounds. They use Google ads to lure-in unsuspecting individuals with promises like free software downloads. They even target popular free software applications such as OBS, commonly used by content creators. The fake sites are carefully designed to look like legitimate ones, making it easier still for someone to fall for their ploy.

Last summer, I succumbed to the temptation of an enticing proposition. The offer was for a complimentary lifetime license for web security testing tool Burp Suite Professional. It’s an important tool that I needed to complete modules on the TryHackMe platform, so it was appealing. Despite having enabled Windows Defender with real-time protection, I managed to download the executable file that was customized to fit my device’s specifications without triggering any warning signals from the Windows Defender system.

But, as I went through the setup wizard and granted administrative privileges, I encountered an unexpected setback: multiple command prompt windows flashed rapidly, raising a red flag. I realized immediately that scripts were running without my explicit consent. Alarmed, I searched online for answers.

During my search, I received a notification on my phone. To my dismay, it revealed an attempt to access my Google account from Brazil. I quickly declined the prompt, followed Google’s recommendation to change my password, and disconnected my laptop from the internet to thwart further unauthorized access.

One Mistake, Significant Fallout

However, I soon discovered that the attacker had already made changes to my Microsoft Defender settings, adding Trojan viruses and backdoors to my system folders in the C: drive, which went undetected due to exclusions. Though I resolved the exclusions issue, my device remained sluggish, and subsequent scans with Defender revealed new strains of malware in just a few hours. To make matters worse, on the third day, I discovered my device was also infected with trojan ransomware, which was exploiting my modest NVIDIA graphics card to mine cryptocurrency.

I started to receive notification chimes from Facebook and Twitter in the late hours of the night. The notifications I received from Facebook regarded posts liked and pages followed – of which, of course, I had no recollection and were unrelated to my interests. Twitter notified me that my tweets had been liked. Upon investigating the matter, I was appalled to discover that my accounts had been compromised. Curiously, the absence of 2FA SMS codes suggested that they were intercepted.

It then dawned on me that my browser had likely been hijacked, granting the hacker unrestricted access to my accounts. Realizing the severity of the situation, I needed to sever the attacker’s access to my accounts immediately. However, changing passwords on my infected device posed further risks. I opted to use my parents’ smartphones and mine to change the passwords promptly, ensuring to clear cache and cookies to preclude residual threats.

After regaining access to my accounts, I discovered that obscure posts had been disseminated from my Facebook account, which I swiftly deleted. Thankfully, no one had received any phishing links. However, my Twitter account had been spoofed to impersonate CZ Binance’s official account, with three, seemingly authentic tweets on cryptocurrency. Surprisingly, the hacker had not deleted my previous tweets. Determined to reclaim control, I diligently worked to restore my Twitter account to its original state, undoing any damage inflicted.

And yet my saga continued: my Instagram and Pinterest profiles were infiltrated. While Pinterest proved to be of little value to them (I had no posts or followers), my dormant Instagram account was not spared. Months after the initial cyber intrusion, a friend sent me a screenshot of a post I had purportedly made on Instagram, claiming that Elon Musk would double any cryptocurrency sent to a particular address.

Denying any involvement, I logged in to discover three identical posts made over a week or two. To make matters worse, my ‘Following’ count had skyrocketed, likely due to my account being used as a bot by the attacker. I checked my Instagram direct messages, which appeared untouched, but it was possible that conversations were initiated and deleted to avoid exposing the compromised state of my account. Realizing the extent of the damage, and considering my account’s prolonged dormancy, I decided to permanently delete it.

Implementing Lessons Learned

Following the hijacking episode, I started revising my cybersecurity measures. I adopted a paid password manager, thereby ensuring the safeguarding of all my accounts through a unique password and a TOTP-based two-factor authentication.

However, the malicious malware that plagued my system rendered it irreparable, ultimately forcing me to reset my computer to its factory settings. Fortunately, I had had the foresight to safeguard my vital files in an external hard drive that remained unscathed by the attack and, by keeping it disconnected, I ensured its safety. While the process was arduous, the extent of data loss was, for me at least, negligible.

Ultimately, my experience highlights the need for continuous education of users. We all know and preach that prudence is crucial in the constantly changing landscape of cyber threats, and that caution and good judgment are essential when downloading software. We advise caution when dealing with unusual files, unknown file extensions, or before opening executable files. Similarly, we advise vigilance in verifying the legitimacy of URLs and recommendations on reputable forums, and to exercise caution even with trusted sources.

Better Help Needed

But do all your users know what these instructions mean? If the lesson is anything, it’s that we need to explain in more detail what this advice means in the real world. Ultimately, “adopt a discerning approach” and “stay informed about best practices” can only help safeguard users if we explain, show and train – and if we keep them up to date with new threats.

Teach users to choose trusted sources like the Microsoft Store, Chocolatey GUI, Patch My PC, or the Win-get commands from Chat-GPT, sure – but also be aware that even reputable sources can be manipulated. Teach them to use virus scans and tools like VirusTotal that can provide extra protection – but educate them to remember that antivirus software is no guarantee against skilled hackers either.

And if the worst happens? Well, in case it’s useful: free software from many of the antivirus vendors can be very helpful in restoring a PC that has suffered a malware attack, if rolling back to factory defaults isn’t an option.

Suman Garai, CC is a cybersecurity professional, with a Bachelor's degree in Computer Applications, specializing in Information Security and Mobile Applications. His academic background encompasses Offensive and Defensive Security, Digital Forensics & Investigation, and IT Governance and Risk Management. He is presently studying for an MSc in Computer Science.