It seemed odd to me that a Web site could write to or read from the clipboard without the user approving it. That would be a pretty obvious security and privacy issue. From what I gather, on Chrome sites can write to the clipboard without approval, but they need approval to read. ~~On Firefox and others any access requires permission. Thus this exploit seems limited to Chrome users.~~

@SkaveRat pointed out that it doesn't require permission, only interaction. So likely there's a button that's clicked that writes to the clipboard, and most browsers are susceptible to this.

This reminds of when I was 13 I used to tell my opponents in Warcraft 3 that pessing alt+q+q quickly reveals the map. It's a shortcut for closing the game. Worked way to many times

I do see this working

This is actually pretty smart because it switches the context of the action. Most intermediate users avoid clicking random executables by instinct but this is different enough that it doesn't immediately trigger that association and response.

That's a sneaky one.

Followed instructions but verification failed, seems like nothing happened except dick got stuck in toaster again. Using Arch, btw.

Kinda brilliant to disguise malware as a captcha, though. I won’t be surprised.

We now need a "verify you are a captcha" mechanism to counter this.

That’s so sassy I kinda respect it.

Too bad for those who fall for it.

Usually I warn my 81 year old dad about these scams. Don't think I need to worry about this one, he wouldn't be tech savvy enough to find the windows button

I almost fell for an unrelated scam just a couple months ago. Basically, I was on vacation visiting family, had just gotten a new phone (w/ GrapheneOS, so it didn't have Google's network of spam detection), and was out and about at the time. Here's how it went down:

1. received text earlier that day saying that my CC was used for an unauthorized purchase (happens a couple times/year)
2. got a call from someone claiming to be my bank (not one of the popular chains like Chase or whatever)
3. caller asked me to verify myself through text code, and I didn't read the text message carefully and provided it (later inspection showed that it was a password reset code)
4. after going through some (fake) recent transactions, I told them they all sounded fraudulent (they were on the other side of the country)
5. they asked me to confirm myself again through another code to finalize, at which point I told them they don't need a second code since I already proved my identity, and they hung up

I immediately went to go reset my password and found I was locked out, so I called my bank. They confirmed that my account had been automatically locked for suspicion of fraud (good job!!) and confirmed what I suspected, the scammer had reset my password (first code) and was attempting to add an external account (second code). Had I given them that second code, they likely would have been able to submit the transfer and it would've been a giant headache to try to get that money back.

I didn't lose anything and I immediately improved the security on my account, but I felt like an idiot for letting them get that far. I had also recently consolidated my other accounts to this one, so this would've been a big blow. They changed my account numbers, I changed my username and password, and they held my account for a week or so to ensure everything was good. This bank is one of the few that actually cares about security, so I set up voice recognition (they said they track it anyway, this just turns on an extra feature) and Symantec VIP (I prefer my regular TOTP app, but they don't support that).

I don't think it'll happen to me again, but I was still surprised that I got so far through the process before recognizing that it's a scam. And I consider myself pretty security conscious (e.g. I use TOTP everywhere, password manager, keep credit bureaus frozen, etc). I guess they got my info from a breach somewhere because they knew my name, my username (to be fair, I used it everywhere), and the bank I use (could've gotten lucky). I have since changed most of my usernames to be random, so hopefully I'll be more safe going forward.

Anyway, stay on your guard, it can happen to you.

So inventive these guys. If only we could harness that ingenuity for the common good instead, it would have a huge impact.

/s no I wouldn't actually implement it

I cant believe they made captcha that only works on windows

As someone tech literate that looks hilarious to follow through with.

But if not, that really does seem similar to a normal captcha with fairly simple steps.

Instructions were unclear, ransomware dev now owes me 0.15 bitcoin.

That is extremely hilarious

Ok, that is kind of clever.

Though I suppose even the dumbest user will chicken out once the terminal pops out.

I tried it and it's not working for me, my terminal is super+T and paste is Ctrl+Shift+V

diabolical

Anybody got more info on the actual payload?

powershell.exe -eC [payload_w_base64] is mentioned here.

-eC just means encoded command afaik.

its not working, my krunner bind is windows+d

That’s going to catch some people, especially older ones.

ah, think this is like one of those survey scams.