This attack relies 100% on someone downloading programs and not verifying the signatures; e.g. sha512 sums! We post about the importance of doing this to avoid MITM type hijacks. Apparently due to their success with distribution many users are still not protecting themselves in this way.
Yes I agree, checksums can prevent this. Sometimes developer doesn't provide them so you have to find them for yourself. Also getting binary from developer's site and checksum from some other site could be more safe - in case when developer's site is breached. Does anybody know of a site where checksums for popular software can be found?
...or digital signatures. Some people simply execute the file even if there is a big yellow UAC prompt (digital signature is broken)
I am not sure I would use such a site. Then you are extending "trust" to a third party. My .02 In addition to security, a major plus to signature verification is that it also demonstrates file integrity. If I pull a 1 Gig file through the pipe I want to know its good to go before I deploy it in my system. This has nothing to do with security. How many times has someone fought with their OS only to find out they are using a software package that came through the pipe with errors. Happens all the time, especially on Windows. Using Linux I generally find the common stuff in the repositories so digital signatures are automatically confirmed during upgrades, installs, etc..... For those outside (special needs stuff) I find the good authors are proud to certify their files with signatures. It shows they care and are performing due diligence for me.
I don't believe this has been posted elsewhere. It appears that the CCleaner ver. right after the 5.33 server update fiasco might be also compromised along with other software. StrongPity2 spyware replaces FinFisher in MitM campaign – ISP involved? https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/
