There have been multiple accounts created with the sole purpose of posting advertisement posts or replies containing unsolicited advertising.

Accounts which solely post advertisements, or persistently post them may be terminated.

ghurab ,

This reminds of when I was 13 I used to tell my opponents in Warcraft 3 that pessing alt+q+q quickly reveals the map. It’s a shortcut for closing the game. Worked way to many times

I do see this working

TwanHE ,

ALT+F4 for free funds, opened alot of slots on bfh servers whenever my friends couldn’t join.

sugar_in_your_tea ,

I almost fell for an unrelated scam just a couple months ago. Basically, I was on vacation visiting family, had just gotten a new phone (w/ GrapheneOS, so it didn’t have Google’s network of spam detection), and was out and about at the time. Here’s how it went down:

  1. received text earlier that day saying that my CC was used for an unauthorized purchase (happens a couple times/year)
  2. got a call from someone claiming to be my bank (not one of the popular chains like Chase or whatever)
  3. caller asked me to verify myself through text code, and I didn’t read the text message carefully and provided it (later inspection showed that it was a password reset code)
  4. after going through some (fake) recent transactions, I told them they all sounded fraudulent (they were on the other side of the country)
  5. they asked me to confirm myself again through another code to finalize, at which point I told them they don’t need a second code since I already proved my identity, and they hung up

I immediately went to go reset my password and found I was locked out, so I called my bank. They confirmed that my account had been automatically locked for suspicion of fraud (good job!!) and confirmed what I suspected, the scammer had reset my password (first code) and was attempting to add an external account (second code). Had I given them that second code, they likely would have been able to submit the transfer and it would’ve been a giant headache to try to get that money back.

I didn’t lose anything and I immediately improved the security on my account, but I felt like an idiot for letting them get that far. I had also recently consolidated my other accounts to this one, so this would’ve been a big blow. They changed my account numbers, I changed my username and password, and they held my account for a week or so to ensure everything was good. This bank is one of the few that actually cares about security, so I set up voice recognition (they said they track it anyway, this just turns on an extra feature) and Symantec VIP (I prefer my regular TOTP app, but they don’t support that).

I don’t think it’ll happen to me again, but I was still surprised that I got so far through the process before recognizing that it’s a scam. And I consider myself pretty security conscious (e.g. I use TOTP everywhere, password manager, keep credit bureaus frozen, etc). I guess they got my info from a breach somewhere because they knew my name, my username (to be fair, I used it everywhere), and the bank I use (could’ve gotten lucky). I have since changed most of my usernames to be random, so hopefully I’ll be more safe going forward.

Anyway, stay on your guard, it can happen to you.

Telorand ,

The fact that many banks still don’t have at least app-based 2FA should be criminal.

LDerJim ,

How would that help in this case? “Sir, please accept the pop up from our app”

LodeMike ,

Implementing the open source TOTP system would cost them money! They’ll rather keep paying SMS egress instead.

To be fair it’s probably way cheaper nowadays.

MystikIncarnate ,

Your story reminds me of something that my bank started doing. I got a robocall about something to do with my credit card, and the voice said to verify using x and y using my keypad, I think it was day/month/year of birth or something and I immediately noped out of the call. I hit all the wrong buttons until it got me to a person and I ripped them apart, and their supervisor for basically training their userbase to answer security questions given by an automatic voice on the other end of the line with no way to verify who is calling.

You can spoof your caller ID, you can get a text to speech robocall bot with DTMF recognition and just spam call a whole area where the bank operates and gather a bunch of personal information because it sounds just like the bank and there’s no way to prove who called.

What a crock of shit. It’s a security nightmare.

I did call my bank after at a known valid number, verified them as they verified me, and there was something going on, so the call was legit, and totally unacceptable.

These clowns want us to trust them completely, and give us no reason to do so, but they want us to bend over backwards to validate ourselves. Fuck that.

peopleproblems ,

Step 3 was your earliest big clue. You’ll never give that to a person. You’ll only ever be asked to enter it on the website it originated from.

That being said, the other commentors are right too.

seth ,

Followed instructions but verification failed, seems like nothing happened except dick got stuck in toaster again. Using Arch, btw.

cmrn ,

As someone tech literate that looks hilarious to follow through with.

But if not, that really does seem similar to a normal captcha with fairly simple steps.

x00za ,

Anybody got more info on the actual payload?

powershell.exe -eC [payload_w_base64] is mentioned here.

-eC just means encoded command afaik.

taiyang ,

I wish more people knew what Run… did, but the Ctrl + v should be a little more obvious. We need to teach more computer literacy if you don’t immediately know that means you’re copying text to something.

Especially on a shady site, mind you. But then again, this could be on a phishing email, so that’s not always the case I guess. (I got one from “STARBUCKS” that Gmail didn’t catch, their spam filter has been shit lately, blocking my work emails but letting through a lot of sus stuff).

BetaDoggo_ ,

This is actually pretty smart because it switches the context of the action. Most intermediate users avoid clicking random executables by instinct but this is different enough that it doesn’t immediately trigger that association and response.

kittenzrulz123 ,

Thats why on Linux you need to run the sudo command and type the root password (or user password) to install something. I get this isn’t Linux but its a serious security vulnerability that someone could run a super user level command by clicking yes on a confirmation box that pops up so often that nobody thinks twice.

dch82 ,

But something like this can still erase everything stored in your home folder or launch further exploits to gain root or something.

kittenzrulz123 ,

Its a lot harder and can do significantly less damage if it doesnt have root privileges, its like how putting a lock on the door to your house wont stop thieves but its better then not having one.

dch82 ,

Bruh, let’s say an attacker deleted all of my important documents, say book drafts, and assume I don’t have a backup.

Now my progress has been set back six months and the publisher is angry.

Would I care if they deleted my system files or not?

brucethemoose , (edited )

The behavior is configurable just like it is on linux, UAC can be set to require a password every time.

But I think its not set this way by default because many users don’t remember their passwords, lol. You think I’m kidding, you should meet my family…

Also, scripts can do plenty without elevation, on linux or Windows.

kittenzrulz123 ,

It should be default, its a good security practice and not every app needs super user permissions.

cley_faye ,

The goal is not always to “take control” of the whole system. A cryptolocker that makes all your files unreadable will happily run in user space.

Also, you’re forgetting that windows also have UAC, and that people will happily type the admin password of their device when asked to, because they’ve been conditioned to not care by badly made stuff. And, while win+r is unlikely to work in most Linux DE I know about, triggering a visual prompt that ask for your password is also a thing.

There is not much difference between common Linux distro and windows as far as seizing user files with malware is concerned, aside from the fact that no website will care to try telling you “press alt+space” instead of “win+r”.

Honytawk , (edited )

If Linux was more popular, you would definitely see a Linux variant of this doing the exact same thing.

aniki ,

(Citation needed)

cmnybo ,

You don’t need root access to steal all of the data that your user account has access to.

QuadratureSurfer ,
@QuadratureSurfer@lemmy.world avatar

Just reported by Mohamed Aruham on Twitter

The oldest tweets I could find that actually started reporting this are from ~16 days ago.

x.com/Piotrdotcom/status/1829126494574067992

They reference a page here that was posted on Aug 29th.

niebezpiecznik.pl/…/uwazajcie-na-takie-captcha/

Tylerdurdon ,

So inventive these guys. If only we could harness that ingenuity for the common good instead, it would have a huge impact.

CosmicTurtle0 ,

Fwiw there are a large number of people who volunteer their time and effort toward worthwhile projects. It’s just they don’t get rewarded anywhere near the level of benefit that they provide.

sugar_in_your_tea ,

Yup, I used to do that as a hobby, but now that I have kids, I just don’t have the time. There’s no way I could do it full-time, so I have a regular 9-5 that pays reasonably well for a cause I don’t hate. For me, that’s enough.

I hope I can make enough at my day job to go back to working on FOSS projects before I lose my ability to write competent software.

CosmicTurtle0 ,

When you look at the value proposition purely from a capitalistic standpoint, I get why scammers and black hats exist. I just wish they could point their weapons toward the 1% and pull something similar to a Mr. Robot and redistribute their wealth.

slaacaa ,

https://lemmy.world/pictrs/image/540fb3cc-371d-407c-a0c4-6012b6b5fdfa.jpeg

XeroxCool ,

What’s the plagiarism machine, AI/LLM chatbots?

snekmuffin ,

mhm

Krzd ,
@Krzd@lemmy.world avatar

Yes

explodicle ,

I can’t even download and run the first two, those are business innovations! 🤮

GraniteM ,

“To prove that you are human, donate $$$ to Doctors Without Borders.”

“To prove that you are human, register to vote.”

“To prove that you are human, adopt a pet from the local animal shelter.”

OutlierBlue ,

“To prove that you are human, adopt a pet from the local animal shelter.”

I’ve got 22 cats already, but I need to check my email!

GraniteM ,

PLEASE ADOPT VERIFICATION CAT TO CONTINUE

zephorah ,

That’s going to catch some people, especially older ones.

Rhaedas ,

Yet if I was helping my elders over the phone, I'd get all sorts of "What Windows key?", "I can't find that Control key", or "I did that key, the plus key, and then my hand slipped and I minimized everything."

ininewcrow ,
@ininewcrow@lemmy.ca avatar

General rule of thumb for me to interact with a website and read or watch whatever I want … if you require me to do more than two things to show me the content I came to see, I’m closing the tab or windows and moving on.

If it’s really important and security related, I’ll take my time and carefully examine everything I do.

Otherwise I’m not clicking more than twice and definitely not using my keyboard to see your dumb website or TikTok video.

RisingSwell ,

I don’t think I’ve ever gone through anything with less than 2 captchas in years

madcaesar ,

This isn’t targeting you.

These scumbags are going after the elderly and computer illiterate.

melroy ,
@melroy@kbin.melroy.org avatar

Failed to execute child process: "calc.exe" (No such file or directory).. hehe

BearOfaTime ,

Wouldn’t it require elevation?

Yet another example of why running as root/admin is a Bad Idea©

IsThisAnAI , (edited )

Yes. The prompt asking you if you wanted to do it or not would come up next. Unless they figured out some sneaky way to do something to avoid using admin.

avidamoeba ,
@avidamoeba@lemmy.ca avatar

Deploy a user-level payload that is auto started on login. The computer is now part of the botnet and can already be used for useful ops. Deploy a privilege escalation payload later if needed.

dgriffith , (edited )

90% of users when they are presented with the UAC popup when they do something:

“Yes yes whateverrr” <click>

IsThisAnAI ,

🤷‍♂️ people are going to take the path of least resistance

groet ,

No, why would it? It will run code in the context of the current user which is absolutely enough to start a new process that will run in the background, download more code from a attacker server and allow remote access. The attacker will only have as much permissions as the user executing the code but that is enough to steal their files, run a keyloggers, steal their sessions for other websites etc.

They can try to escalate to the admin user, but when targeting private victims, all the data that is worth stealing is available to the user and does not require admin privs.

avidamoeba , (edited )
@avidamoeba@lemmy.ca avatar

Exactly. The moment you hit Enter, the computer becomes part of a botnet on every login.

Womble ,

https://lemmy.world/pictrs/image/73b90d70-568e-458e-aaad-93513caf72a9.png

Treczoks ,

Once you run something on windows, elevation is just a thing of using the right toolbox.

Bezier ,
@Bezier@suppo.fi avatar

That should be easy on windows, but user permissions might also be enough for whatever it does.

Kethal , (edited )

It seemed odd to me that a Web site could write to or read from the clipboard without the user approving it. That would be a pretty obvious security and privacy issue. From what I gather, on Chrome sites can write to the clipboard without approval, but they need approval to read. On Firefox and others any access requires permission. Thus this exploit seems limited to Chrome users.

@SkaveRat pointed out that it doesn’t require permission, only interaction. So likely there’s a button that’s clicked that writes to the clipboard, and most browsers are susceptible to this.

SkaveRat ,

not when there was a user intent like clicking a button.

For example in this screenshot, it’s likely that there’s only the “verify I’m human” button first, you click it, the steps pop up, and at the same time the command ist copied into your clipboard

MeatsOfRage , (edited )

Exactly, copy requires a click but there’s no rule that the copy button has to look like anything particular

lando55 , (edited )

Why isn’t the default behavior for browsers to not allow access to the clipboard? Similar to how it prompts you for access to camera/microphone

Edit: On a per-site basis, like if you use the Zoom website it asks you for access to the webcam, would something like this work for clipboard as well or would it break stuff?

madcaesar ,

The browser can’t access your clipboard contents without permission, but it can place text into the clipboard.

The problem is people the talking the copied text and pasting it into the command prompt.

lando55 ,

Yeah that’s what I’m curious about; I’m used to copying code snippets or codes from websites by clicking a button (presumably through some browser API?), but am just now realizing that this in itself has security implications.

Using noscript or some such JS blocker would prevent this but break a lot of other things in the process. That’s why I’m wondering why the API isn’t locked down via some user prompt.

schnurrito , (edited )

There is no inherent security problem with changing the content of the clipboard. That doesn’t do anything until the user pastes it somewhere; of course if that “somewhere” is a command prompt, then that is a security problem, but users really ought to check what they’re pasting there before they execute it (yeah, I know, “ought to”).

It would be possible to do it the way you say, but that would mean that the user would need to allow that for many websites; I don’t think copying from apps like Google Docs would work anymore, and “here’s your access token, click here to copy it to the clipboard” features certainly wouldn’t.

The screenshot in the OP would then probably be changed to include a step “click: allow clipboard access”; I think most people who fall for the screenshot in the OP would also fall for that.

MeatsOfRage ,

Exactly. Furthermore they’d probably just include it in those instructions “Step 1: when the box pops up with clipboard press allow”

  • All
  • Subscribed
  • Moderated
  • Favorites
  • [email protected]
  • random
  • lifeLocal
  • goranko
  • All magazines
    •