Kinda brilliant to disguise malware as a captcha, though. I won’t be surprised.
Usually I warn my 81 year old dad about these scams. Don’t think I need to worry about this one, he wouldn’t be tech savvy enough to find the windows button
When I saw a women get hacked aftermath. They installed remote access software, however in her downloads you could see the 10 duplicates.
The scum fuck scammer on the phone had to spend at least 45 minutes trying to get them to navigate to their downloads and run the installer.
Our elders are safe from this one lol
Sometimes I feel bad for scammers because I know how long it takes just to freaking reset a password on legitimate support calls at work (and usually that’s someone who’s put in a vague ticket saying “software isn’t working” so I emailed them a “I’m not a psychic” email with a link to schedule a call which requires one to schedule on the next business day just to finally talk on the phone and identify what they couldn’t write out in their ticket 2 days ago) but then I remember that they’re fucking scammers and often fully aware of what they’re doing
Same here, nothing to worry about
That’s so sassy I kinda respect it.
Too bad for those who fall for it.
Instructions were unclear, ransomware dev now owes me 0.15 bitcoin.
That is extremely hilarious
Except for the fact that a lot of less tech savvy people will fall for it.
/s no I wouldn’t actually implement it
Yeah, right? Captchas have trained users to do whatever weird thing a webpage tells them to do, so now people will do this without thinking about it.
Yeah I sent the screenshot to my parents right away, I think they would know better but better be safe than sorry.
We now need a “verify you are a captcha” mechanism to counter this.
diabolical
I cant believe they made captcha that only works on windows
You (probably) wouldn’t see this page unless you were on Windows
I tried it and it’s not working for me, my terminal is super+T and paste is Ctrl+Shift+V
Win + R isn’t the terminal but rather the run command.
Ooooohhh… Been using Ubuntu and Mint next to Windows for a couple years and always right-clicked to paste. So that’s the secret sauce!
Shift-insert works too, one key less
But insert is farther than shift :P
The better argument is that many keyboards don’t have an Insert key. I usually use Shift+Insert myself because it’s more likely to work on all terminal types, including Windows and Linux, but have ran into times where I just don’t have an insert, like on my laptop and Chromebook. So yeah, I might switch to Ctrl+Shift+V as my go to.
its not working, my krunner bind is windows+d
Why not Alt+F2?
I have fn lock on for volume and brightness, so that becomes Alt+FN+F2
ah, think this is like one of those survey scams.
Ok, that is kind of clever.
Though I suppose even the dumbest user will chicken out once the terminal pops out.
It seemed odd to me that a Web site could write to or read from the clipboard without the user approving it. That would be a pretty obvious security and privacy issue. From what I gather, on Chrome sites can write to the clipboard without approval, but they need approval to read.
On Firefox and others any access requires permission. Thus this exploit seems limited to Chrome users.@SkaveRat pointed out that it doesn’t require permission, only interaction. So likely there’s a button that’s clicked that writes to the clipboard, and most browsers are susceptible to this.
It seemed odd to me that a Web site could write to or read from the clipboard without the user approving it
Yeah, that’s a security hole that I hadn’t been aware of.
not when there was a user intent like clicking a button.
For example in this screenshot, it’s likely that there’s only the “verify I’m human” button first, you click it, the steps pop up, and at the same time the command ist copied into your clipboard
Exactly, copy requires a click but there’s no rule that the copy button has to look like anything particular
It doesn’t necessarily need a click - it can be triggered by a keypress too (eg at my workplace we have a few internal pages where you can press a keyboard shortcut to copy a shortened URL for the current page).
It has to be something the browser considers a user interaction, meaning the user has expressed an intent to perform the action. That’s usually a button press or keypress.
Why isn’t the default behavior for browsers to not allow access to the clipboard? Similar to how it prompts you for access to camera/microphone
Edit: On a per-site basis, like if you use the Zoom website it asks you for access to the webcam, would something like this work for clipboard as well or would it break stuff?
There is no inherent security problem with changing the content of the clipboard. That doesn’t do anything until the user pastes it somewhere; of course if that “somewhere” is a command prompt, then that is a security problem, but users really ought to check what they’re pasting there before they execute it (yeah, I know, “ought to”).
It would be possible to do it the way you say, but that would mean that the user would need to allow that for many websites; I don’t think copying from apps like Google Docs would work anymore, and “here’s your access token, click here to copy it to the clipboard” features certainly wouldn’t.
The screenshot in the OP would then probably be changed to include a step “click: allow clipboard access”; I think most people who fall for the screenshot in the OP would also fall for that.
Exactly. Furthermore they’d probably just include it in those instructions “Step 1: when the box pops up with clipboard press allow”
The browser can’t access your clipboard contents without permission, but it can place text into the clipboard.
The problem is people the talking the copied text and pasting it into the command prompt.
but it can place text into the clipboard.
Only as the result of a user interaction, for example by pressing a button.
Yeah that’s what I’m curious about; I’m used to copying code snippets or codes from websites by clicking a button (presumably through some browser API?), but am just now realizing that this in itself has security implications.
Using noscript or some such JS blocker would prevent this but break a lot of other things in the process. That’s why I’m wondering why the API isn’t locked down via some user prompt.
In Firefox, you can disable the clipboard events. I’ve done this for the rare case of me copy+pasting a password and forgetting to clear the clipboard after.
On Android, I’ve noticed that it’s possible for apps to read from the clipboard, to read OTP tokens for example. Since I noticed that a while back, I’ve always been wary of the clipboard on any device I’ve used.
That’s a sneaky one.
You’re probably sarcastic but
paste this random line in the run prompt (or what’s it called) and run it
sneaky
Hmm
It opens the run dialog, which I’m sure the vast majority of Windows users have never heard of. This would trick a lot of people who just trust whatever their computer asks them to do.
It’s not sneaky, it’s just people are morons and fall for the simplest shit
Please show some empathy for those who are not as tech literate as you are. Elitism doesn’t look good on you, friend.
I’m not very concerned about looks
Not everyone knows everything. Actually, nobody does.
Computers simply became an easily available necessity, thus you get a lot of computer-illiterate people using computers.
Perhaps it would’ve been fairer to say that they’re morons when it comes to computers
Kinda like you when it comes to social interaction?
Oh snap!
Fairer to call at least 80% of people morons because they don’t know one specific computer feature that is mainly used just by IT people?
Seems like the only moron here is you.
Of course it’s fairer. Before it meant that they’re all around idiots. Now it just says they’re idiots when it comes to computers. There might be aspects they’re not idiots in, but if they’re running random commands, computers isn’t one of them.
Seems like the only moron here is you.
Not when it comes to computers but in some other things for sure
Not morons, just not educated enough about them to understand exactly what the implications of that action are.
You’ve got to remember that these are just simple computer users. These are people of the land. The common clay of the new West.
Are you by chance running Arch btw?
Hah, I used to
