Be careful.

pewgar_seemsimandroid , 1 hour ago

ah, think is like one of those survey scams.

ZILtoid1991 , 1 hour ago

Instructions were unclear, ransomware dev now owes me 0.15 bitcoin.

Binette , 2 hours ago

That is extremely hilarious

dan , 2 hours ago

Except for the fact that a lot of less tech savvy people will fall for it.

rickyrigatoni , 3 hours ago

diabolical

ghurab , 5 hours ago

This reminds of when I was 13 I used to tell my opponents in Warcraft 3 that pessing alt+q+q quickly reveals the map. It’s a shortcut for closing the game. Worked way to many times

I do see this working

TwanHE , 4 hours ago

ALT+F4 for free funds, opened alot of slots on bfh servers whenever my friends couldn’t join.

theangryseal , 3 hours ago

Haha, god I loved doing this on Counter-Strike. “Did you guys hear about the hidden tit pics in counter strike? No shit, hold alt and press f4 and it shows the best tits I’ve ever seen. I don’t know how game developers get away with this stuff.”

Half the lobby is gone, the other half is laughing.

thermal_shock , 2 hours ago

was funny when someone said “alt f4” and 3 people immediately leave LOL

pyre , 3 hours ago

also makes the victims self selecting, much like the deliberate spelling errors in scam mails.

bhamlin , 2 hours ago

We’d constantly get people by telling them holding alt and typing fax would get mirc to give them ops. Usually about a quarter of the channel would drop out.

lurch , 1 hour ago

btw if you want to try and hack me, my IP is 127.0.0.1

PM_Your_Nudes_Please , 37 minutes ago (edited 30 minutes ago)

Yeah, and you can dupe items in RuneScape by dropping them and pressing Alt+F4. Don’t worry, I’ll stand way over here to prove I’m not trying to steal it. If I try to pick up the item you’ll see me move, and you can just pick it up first.

_bcron , 27 minutes ago

The day of a new patch in WoW I said in general chat “wow, they finally put a confirmation when you type /gquit , crazy how long it took” and sit in town and watch peoples guild names disappear

sugar_in_your_tea , 5 hours ago

I almost fell for an unrelated scam just a couple months ago. Basically, I was on vacation visiting family, had just gotten a new phone (w/ GrapheneOS, so it didn’t have Google’s network of spam detection), and was out and about at the time. Here’s how it went down:

1. received text earlier that day saying that my CC was used for an unauthorized purchase (happens a couple times/year)
2. got a call from someone claiming to be my bank (not one of the popular chains like Chase or whatever)
3. caller asked me to verify myself through text code, and I didn’t read the text message carefully and provided it (later inspection showed that it was a password reset code)
4. after going through some (fake) recent transactions, I told them they all sounded fraudulent (they were on the other side of the country)
5. they asked me to confirm myself again through another code to finalize, at which point I told them they don’t need a second code since I already proved my identity, and they hung up

I immediately went to go reset my password and found I was locked out, so I called my bank. They confirmed that my account had been automatically locked for suspicion of fraud (good job!!) and confirmed what I suspected, the scammer had reset my password (first code) and was attempting to add an external account (second code). Had I given them that second code, they likely would have been able to submit the transfer and it would’ve been a giant headache to try to get that money back.

I didn’t lose anything and I immediately improved the security on my account, but I felt like an idiot for letting them get that far. I had also recently consolidated my other accounts to this one, so this would’ve been a big blow. They changed my account numbers, I changed my username and password, and they held my account for a week or so to ensure everything was good. This bank is one of the few that actually cares about security, so I set up voice recognition (they said they track it anyway, this just turns on an extra feature) and Symantec VIP (I prefer my regular TOTP app, but they don’t support that).

I don’t think it’ll happen to me again, but I was still surprised that I got so far through the process before recognizing that it’s a scam. And I consider myself pretty security conscious (e.g. I use TOTP everywhere, password manager, keep credit bureaus frozen, etc). I guess they got my info from a breach somewhere because they knew my name, my username (to be fair, I used it everywhere), and the bank I use (could’ve gotten lucky). I have since changed most of my usernames to be random, so hopefully I’ll be more safe going forward.

Anyway, stay on your guard, it can happen to you.

Telorand , 5 hours ago

The fact that many banks still don’t have at least app-based 2FA should be criminal.

LDerJim , 4 hours ago

How would that help in this case? “Sir, please accept the pop up from our app”

Telorand , 2 hours ago

I’m talking about TOTP in something like Bitwarden or Authy. You can still social engineer your way to getting a code, but a scammer would have to convince the user to reveal that secret, not just pretend to send a code.

LodeMike , 4 hours ago

Implementing the open source TOTP system would cost them money! They’ll rather keep paying SMS egress instead.

To be fair it’s probably way cheaper nowadays.

EngineerGaming , 3 hours ago

App-based would be bad, as bank apps are notoriously unfriendly to people who don’t own Google/Apple smartphones. Rather, a TOTP or Yubikey.

Telorand , 3 hours ago

That’s what I mean by app-based. Something like Authy or Google Authenticator, etc.

Appoxo , 1 hour ago

At least use Aegis ;-;

MonkeMischief , 1 hour ago

Thanks, I was about to suggest this too. Aegis is awesome. :) I can’t understand why most banks sms a code instead of using something like this. It’s insanity.

MystikIncarnate , 4 hours ago

Your story reminds me of something that my bank started doing. I got a robocall about something to do with my credit card, and the voice said to verify using x and y using my keypad, I think it was day/month/year of birth or something and I immediately noped out of the call. I hit all the wrong buttons until it got me to a person and I ripped them apart, and their supervisor for basically training their userbase to answer security questions given by an automatic voice on the other end of the line with no way to verify who is calling.

You can spoof your caller ID, you can get a text to speech robocall bot with DTMF recognition and just spam call a whole area where the bank operates and gather a bunch of personal information because it sounds just like the bank and there’s no way to prove who called.

What a crock of shit. It’s a security nightmare.

I did call my bank after at a known valid number, verified them as they verified me, and there was something going on, so the call was legit, and totally unacceptable.

These clowns want us to trust them completely, and give us no reason to do so, but they want us to bend over backwards to validate ourselves. Fuck that.

peopleproblems , 4 hours ago

Step 3 was your earliest big clue. You’ll never give that to a person. You’ll only ever be asked to enter it on the website it originated from.

That being said, the other commentors are right too.

bamboo , 2 hours ago

FWIW this isn’t always true. A few months ago, I needed to add an email to my Zelle account on Chase, and had to call them. I initiated the call and they did issue a text message verification to the phone number in my account while on the phone to confirm.

kungen , 35 minutes ago

Well, yeah, because they initiated the code to verify it was you who called them. Better than them asking your “security questions” or such. It’s a completely different situation if you got an incoming call who asks for that.

Gestrid , 1 hour ago (edited 1 hour ago)

Like the other guy said, it’s not always true.

For example, even when you’re physically in the store, a T-Mobile employee may require you to read back a code that their system texted to you for certain transactions like buying a new phone for someone on your account or something like that.

SGforce , 47 minutes ago

Negative. Had to do that to cancel a cell phone plan recently. They sent the text to my other phone while I was on the line with CSR. Though I agree it should have been possible on the website.

EngineerGaming , 3 hours ago

I think you should not feel like an idiot in this case. Just keep in mind that EVERYONE can fall for a scam, even the experts. The people who think they wouldn’t are themselves likely victims.

LiveLM , 2 hours ago

Pro-tip: Whenever you receive a call/text/email from “your bank” saying something is wrong, don’t interact!

Open their app/website or call them yourself to verify.

dan , 2 hours ago (edited 1 hour ago)

I set up voice recognition

This feature is extremely insecure now that there’s several AIs that can replicate voices. If a scammer calls you and you say a few words (like if you say “hello” and “sorry, I think you’ve got the wrong number”), a recording of that can be enough for them to replicate your voice.

This happened at my workplace. An attacker got into someone’s Schwab account by calling Schwab support and successfully getting past the voice verification, and nearly successfully transferred $100k (from a recent stock sale) out of their account. It took a bit of effort but they managed to get all the money back.

Schwab sent out a bulk email to everyone at my company saying they’re improving their security as a result, but I’m not sure if they’ve actually improved it. They’re still promoting this insecure feature.

MisterFrog , 1 hour ago

Honestly, good on you so much for sharing. The fact you’re not ashamed and willing to share could save someone from the same attack, and as others have pointed out, even the most security minded of us can have lapses in judgement.

I’m really glad you weren’t screwed in the end.

seth , 6 hours ago

Followed instructions but verification failed, seems like nothing happened except dick got stuck in toaster again. Using Arch, btw.

bhamlin , 2 hours ago

You have to pacman -S femboy first.

cmrn , 6 hours ago

As someone tech literate that looks hilarious to follow through with.

But if not, that really does seem similar to a normal captcha with fairly simple steps.

x00za , 6 hours ago

Anybody got more info on the actual payload?

powershell.exe -eC [payload_w_base64] is mentioned here.

-eC just means encoded command afaik.

purplemonkeymad , 3 hours ago

Seen this on the powershell subreddit before, it just downloads and runs another executable.

taiyang , 7 hours ago

I wish more people knew what Run… did, but the Ctrl + v should be a little more obvious. We need to teach more computer literacy if you don’t immediately know that means you’re copying text to something.

Especially on a shady site, mind you. But then again, this could be on a phishing email, so that’s not always the case I guess. (I got one from “STARBUCKS” that Gmail didn’t catch, their spam filter has been shit lately, blocking my work emails but letting through a lot of sus stuff).

Ghoelian , 3 hours ago

Yeah, all this behaviour leads to is more annoyances for the people who do know what they’re doing. People should really learn how the devices they use every day work, which includes stuff like the command prompt. Not necessarily how to use it, but at least what it is and what it can do.

BetaDoggo_ , 7 hours ago

This is actually pretty smart because it switches the context of the action. Most intermediate users avoid clicking random executables by instinct but this is different enough that it doesn’t immediately trigger that association and response.

kittenzrulz123 , 7 hours ago

Thats why on Linux you need to run the sudo command and type the root password (or user password) to install something. I get this isn’t Linux but its a serious security vulnerability that someone could run a super user level command by clicking yes on a confirmation box that pops up so often that nobody thinks twice.

dch82 , 7 hours ago

But something like this can still erase everything stored in your home folder or launch further exploits to gain root or something.

kittenzrulz123 , 7 hours ago

Its a lot harder and can do significantly less damage if it doesnt have root privileges, its like how putting a lock on the door to your house wont stop thieves but its better then not having one.

dch82 , 6 hours ago

Bruh, let’s say an attacker deleted all of my important documents, say book drafts, and assume I don’t have a backup.

Now my progress has been set back six months and the publisher is angry.

Would I care if they deleted my system files or not?

brucethemoose , 7 hours ago (edited 7 hours ago)

The behavior is configurable just like it is on linux, UAC can be set to require a password every time.

But I think its not set this way by default because many users don’t remember their passwords, lol. You think I’m kidding, you should meet my family…

Also, scripts can do plenty without elevation, on linux or Windows.

kittenzrulz123 , 7 hours ago

It should be default, its a good security practice and not every app needs super user permissions.

cley_faye , 7 hours ago

The goal is not always to “take control” of the whole system. A cryptolocker that makes all your files unreadable will happily run in user space.

Also, you’re forgetting that windows also have UAC, and that people will happily type the admin password of their device when asked to, because they’ve been conditioned to not care by badly made stuff. And, while win+r is unlikely to work in most Linux DE I know about, triggering a visual prompt that ask for your password is also a thing.

There is not much difference between common Linux distro and windows as far as seizing user files with malware is concerned, aside from the fact that no website will care to try telling you “press alt+space” instead of “win+r”.

Honytawk , 6 hours ago (edited 6 hours ago)

If Linux was more popular, you would definitely see a Linux variant of this doing the exact same thing.

aniki , 5 hours ago

(Citation needed)

theterrasque , 8 minutes ago

The only issue I see with targeting Linux is the sheer variety of Desktop setups. Finding one keyboard shortcut and payload that will work on even just the majority of distros would be a challenge.

cmnybo , 5 hours ago

You don’t need root access to steal all of the data that your user account has access to.

QuadratureSurfer , 7 hours ago

Just reported by Mohamed Aruham on Twitter

The oldest tweets I could find that actually started reporting this are from ~16 days ago.

x.com/Piotrdotcom/status/1829126494574067992

They reference a page here that was posted on Aug 29th.

niebezpiecznik.pl/…/uwazajcie-na-takie-captcha/

Tylerdurdon , 8 hours ago

So inventive these guys. If only we could harness that ingenuity for the common good instead, it would have a huge impact.

CosmicTurtle0 , 7 hours ago

Fwiw there are a large number of people who volunteer their time and effort toward worthwhile projects. It’s just they don’t get rewarded anywhere near the level of benefit that they provide.

sugar_in_your_tea , 6 hours ago

Yup, I used to do that as a hobby, but now that I have kids, I just don’t have the time. There’s no way I could do it full-time, so I have a regular 9-5 that pays reasonably well for a cause I don’t hate. For me, that’s enough.

I hope I can make enough at my day job to go back to working on FOSS projects before I lose my ability to write competent software.

CosmicTurtle0 , 5 hours ago

When you look at the value proposition purely from a capitalistic standpoint, I get why scammers and black hats exist. I just wish they could point their weapons toward the 1% and pull something similar to a Mr. Robot and redistribute their wealth.

slaacaa , 7 hours ago

https://lemmy.world/pictrs/image/540fb3cc-371d-407c-a0c4-6012b6b5fdfa.jpeg

XeroxCool , 4 hours ago

What’s the plagiarism machine, AI/LLM chatbots?

snekmuffin , 4 hours ago

mhm

Krzd , 4 hours ago

Yes

theterrasque , 19 minutes ago

The printing press, of course

explodicle , 4 hours ago

I can’t even download and run the first two, those are business innovations! 🤮

Neon , 3 hours ago

Uber

Airbnb

Bitcoin?

LLMs?

theterrasque , 19 minutes ago

Last two are clearly “US dollars” and “printing press”

GraniteM , 6 hours ago

“To prove that you are human, donate $$$ to Doctors Without Borders.”

“To prove that you are human, register to vote.”

“To prove that you are human, adopt a pet from the local animal shelter.”

OutlierBlue , 5 hours ago

“To prove that you are human, adopt a pet from the local animal shelter.”

I’ve got 22 cats already, but I need to check my email!

GraniteM , 4 hours ago

PLEASE ADOPT VERIFICATION CAT TO CONTINUE

zephorah , 8 hours ago

That’s going to catch some people, especially older ones.

Rhaedas , 7 hours ago

Yet if I was helping my elders over the phone, I'd get all sorts of "What Windows key?", "I can't find that Control key", or "I did that key, the plus key, and then my hand slipped and I minimized everything."