This reminds of when I was 13 I used to tell my opponents in Warcraft 3 that pessing alt+q+q quickly reveals the map. It’s a shortcut for closing the game. Worked way to many times
I do see this working
We’d constantly get people by telling them holding alt and typing fax would get mirc to give them ops. Usually about a quarter of the channel would drop out.
ALT+F4 for free funds, opened alot of slots on bfh servers whenever my friends couldn’t join.
Haha, god I loved doing this on Counter-Strike. “Did you guys hear about the hidden tit pics in counter strike? No shit, hold alt and press f4 and it shows the best tits I’ve ever seen. I don’t know how game developers get away with this stuff.”
Half the lobby is gone, the other half is laughing.
was funny when someone said “alt f4” and 3 people immediately leave LOL
/disco mode on
Yeah, and you can dupe items in RuneScape by dropping them and pressing Alt+F4. Don’t worry, I’ll stand way over here to prove I’m not trying to steal it. If I try to pick up the item you’ll see me move, and you can just pick it up first.
The day of a new patch in WoW I said in general chat “wow, they finally put a confirmation when you type /gquit , crazy how long it took” and sit in town and watch peoples guild names disappear
“Cheat Enabled.”
btw if you want to try and hack me, my IP is 127.0.0.1
Don’t have to tell me, I just tried summoning quillbeasts while looking at health bars
also makes the victims self selecting, much like the deliberate spelling errors in scam mails.
That is extremely hilarious
Except for the fact that a lot of less tech savvy people will fall for it.
As someone tech literate that looks hilarious to follow through with.
But if not, that really does seem similar to a normal captcha with fairly simple steps.
That’s a sneaky one.
You’re probably sarcastic but
paste this random line in the run prompt (or what’s it called) and run it
sneaky
Hmm
It opens the run dialog, which I’m sure the vast majority of Windows users have never heard of. This would trick a lot of people who just trust whatever their computer asks them to do.
It’s not sneaky, it’s just people are morons and fall for the simplest shit
Not everyone knows everything. Actually, nobody does.
Computers simply became an easily available necessity, thus you get a lot of computer-illiterate people using computers.
Perhaps it would’ve been fairer to say that they’re morons when it comes to computers
Fairer to call at least 80% of people morons because they don’t know one specific computer feature that is mainly used just by IT people?
Seems like the only moron here is you.
Of course it’s fairer. Before it meant that they’re all around idiots. Now it just says they’re idiots when it comes to computers. There might be aspects they’re not idiots in, but if they’re running random commands, computers isn’t one of them.
Seems like the only moron here is you.
Not when it comes to computers but in some other things for sure
Not morons, just not educated enough about them to understand exactly what the implications of that action are.
You’ve got to remember that these are just simple computer users. These are people of the land. The common clay of the new West.
Are you by chance running Arch btw?
Hah, I used to
Kinda like you when it comes to social interaction?
Oh snap!
Please show some empathy for those who are not as tech literate as you are. Elitism doesn’t look good on you, friend.
I’m not very concerned about looks
It seemed odd to me that a Web site could write to or read from the clipboard without the user approving it. That would be a pretty obvious security and privacy issue. From what I gather, on Chrome sites can write to the clipboard without approval, but they need approval to read.
On Firefox and others any access requires permission. Thus this exploit seems limited to Chrome users.@SkaveRat pointed out that it doesn’t require permission, only interaction. So likely there’s a button that’s clicked that writes to the clipboard, and most browsers are susceptible to this.
It seemed odd to me that a Web site could write to or read from the clipboard without the user approving it
Yeah, that’s a security hole that I hadn’t been aware of.
not when there was a user intent like clicking a button.
For example in this screenshot, it’s likely that there’s only the “verify I’m human” button first, you click it, the steps pop up, and at the same time the command ist copied into your clipboard
Why isn’t the default behavior for browsers to not allow access to the clipboard? Similar to how it prompts you for access to camera/microphone
Edit: On a per-site basis, like if you use the Zoom website it asks you for access to the webcam, would something like this work for clipboard as well or would it break stuff?
The browser can’t access your clipboard contents without permission, but it can place text into the clipboard.
The problem is people the talking the copied text and pasting it into the command prompt.
Yeah that’s what I’m curious about; I’m used to copying code snippets or codes from websites by clicking a button (presumably through some browser API?), but am just now realizing that this in itself has security implications.
Using noscript or some such JS blocker would prevent this but break a lot of other things in the process. That’s why I’m wondering why the API isn’t locked down via some user prompt.
In Firefox, you can disable the clipboard events. I’ve done this for the rare case of me copy+pasting a password and forgetting to clear the clipboard after.
On Android, I’ve noticed that it’s possible for apps to read from the clipboard, to read OTP tokens for example. Since I noticed that a while back, I’ve always been wary of the clipboard on any device I’ve used.
but it can place text into the clipboard.
Only as the result of a user interaction, for example by pressing a button.
From the Browser’s viewpoint, would there be any difference if the webpage has a JS button to put something in the clipboard, or it having code running in the background that puts things into the clipboard at page load?
It’s not like there’s that much of a difference, as far as the Browser is concerned.
would there be any difference if the webpage has a JS button to put something in the clipboard, or it having code running in the background that puts things into the clipboard at page load?
Clicking a button shows user intent, whereas a page load doesn’t. No user expects loading a page to overwrite their clipboard, but every user that clicks a “Copy to Clipboard” button does expect it.
There is no inherent security problem with changing the content of the clipboard. That doesn’t do anything until the user pastes it somewhere; of course if that “somewhere” is a command prompt, then that is a security problem, but users really ought to check what they’re pasting there before they execute it (yeah, I know, “ought to”).
It would be possible to do it the way you say, but that would mean that the user would need to allow that for many websites; I don’t think copying from apps like Google Docs would work anymore, and “here’s your access token, click here to copy it to the clipboard” features certainly wouldn’t.
The screenshot in the OP would then probably be changed to include a step “click: allow clipboard access”; I think most people who fall for the screenshot in the OP would also fall for that.
Exactly. Furthermore they’d probably just include it in those instructions “Step 1: when the box pops up with clipboard press allow”
Exactly, copy requires a click but there’s no rule that the copy button has to look like anything particular
It doesn’t necessarily need a click - it can be triggered by a keypress too (eg at my workplace we have a few internal pages where you can press a keyboard shortcut to copy a shortened URL for the current page).
It has to be something the browser considers a user interaction, meaning the user has expressed an intent to perform the action. That’s usually a button press or keypress.
deleted by creator
You have to
pacman -S femboyfirst.
Instructions were unclear, ransomware dev now owes me 0.15 bitcoin.
Wouldn’t it require elevation?
Yet another example of why running as root/admin is a Bad Idea©
No, why would it? It will run code in the context of the current user which is absolutely enough to start a new process that will run in the background, download more code from a attacker server and allow remote access. The attacker will only have as much permissions as the user executing the code but that is enough to steal their files, run a keyloggers, steal their sessions for other websites etc.
They can try to escalate to the admin user, but when targeting private victims, all the data that is worth stealing is available to the user and does not require admin privs.
Exactly. The moment you hit Enter, the computer becomes part of a botnet on every login.
This here. The most important thing on your computer are all your session cookies, which are, well, accessible with permissions your user account already has.
Dudes don’t care about making your shit into a botnet, or putting a rootkit in your firmware, or whatever other technically complex thing you care to think about: they’re there to steal your shit, and the most valuable shit you have is sitting there out in the open for the taking for anyone who makes it past a very very low bar of ‘make the user do something stupid’.
Once you run something on windows, elevation is just a thing of using the right toolbox.
That should be easy on windows, but user permissions might also be enough for whatever it does.
Yes. The prompt asking you if you wanted to do it or not would come up next. Unless they figured out some sneaky way to do something to avoid using admin.
90% of users when they are presented with the UAC popup when they do something:
“Yes yes whateverrr” <click>
🤷♂️ people are going to take the path of least resistance
It would be trivial to add a “please click ‘yes’ to the UAC prompt to allow verification” screen, so that isn’t really going to stop anyone.
I’ve seen a bit of office malware in the past that did that, where it had a bunch of images instructing you to enable macros and that.
Deploy a user-level payload that is auto started on login. The computer is now part of the botnet and can already be used for useful ops. Deploy a privilege escalation payload later if needed.
Anybody got more info on the actual payload?
powershell.exe -eC [payload_w_base64]is mentioned here.-eCjust means encoded command afaik.Deep analysis here https://denwp.com/anatomy-of-a-lumma-stealer
Thanks for sharing.
I also added that website to my RSS reader.
Same
Seen this on the powershell subreddit before, it just downloads and runs another executable.
deleted by creator
deleted by creator
ah, think this is like one of those survey scams.
I cant believe they made captcha that only works on windows
You (probably) wouldn’t see this page unless you were on Windows
I think more and more browsers are spoofing their UA to pretend that you’re using windows, for fingerprinting resistance
I wish more people knew what Run… did, but the Ctrl + v should be a little more obvious. We need to teach more computer literacy if you don’t immediately know that means you’re copying text to something.
Especially on a shady site, mind you. But then again, this could be on a phishing email, so that’s not always the case I guess. (I got one from “STARBUCKS” that Gmail didn’t catch, their spam filter has been shit lately, blocking my work emails but letting through a lot of sus stuff).
Yeah, all this behaviour leads to is more annoyances for the people who do know what they’re doing. People should really learn how the devices they use every day work, which includes stuff like the command prompt. Not necessarily how to use it, but at least what it is and what it can do.
Could have been sneakier perhaps if it said Shift+Insert instead of Ctrl+V.
its not working, my krunner bind is windows+d
Why not Alt+F2?
I have fn lock on for volume and brightness, so that becomes Alt+FN+F2
Failed to execute child process: “calc.exe” (No such file or directory)… hehe
