It seemed odd to me that a Web site could write to or read from the clipboard without the user approving it. That would be a pretty obvious security and privacy issue. From what I gather, on Chrome sites can write to the clipboard without approval, but they need approval to read.
On Firefox and others any access requires permission. Thus this exploit seems limited to Chrome users.@SkaveRat pointed out that it doesn't require permission, only interaction. So likely there's a button that's clicked that writes to the clipboard, and most browsers are susceptible to this.
This is actually pretty smart because it switches the context of the action. Most intermediate users avoid clicking random executables by instinct but this is different enough that it doesn't immediately trigger that association and response.
I almost fell for an unrelated scam just a couple months ago. Basically, I was on vacation visiting family, had just gotten a new phone (w/ GrapheneOS, so it didn't have Google's network of spam detection), and was out and about at the time. Here's how it went down:
- received text earlier that day saying that my CC was used for an unauthorized purchase (happens a couple times/year)
- got a call from someone claiming to be my bank (not one of the popular chains like Chase or whatever)
- caller asked me to verify myself through text code, and I didn't read the text message carefully and provided it (later inspection showed that it was a password reset code)
- after going through some (fake) recent transactions, I told them they all sounded fraudulent (they were on the other side of the country)
- they asked me to confirm myself again through another code to finalize, at which point I told them they don't need a second code since I already proved my identity, and they hung up
I immediately went to go reset my password and found I was locked out, so I called my bank. They confirmed that my account had been automatically locked for suspicion of fraud (good job!!) and confirmed what I suspected, the scammer had reset my password (first code) and was attempting to add an external account (second code). Had I given them that second code, they likely would have been able to submit the transfer and it would've been a giant headache to try to get that money back.
I didn't lose anything and I immediately improved the security on my account, but I felt like an idiot for letting them get that far. I had also recently consolidated my other accounts to this one, so this would've been a big blow. They changed my account numbers, I changed my username and password, and they held my account for a week or so to ensure everything was good. This bank is one of the few that actually cares about security, so I set up voice recognition (they said they track it anyway, this just turns on an extra feature) and Symantec VIP (I prefer my regular TOTP app, but they don't support that).
I don't think it'll happen to me again, but I was still surprised that I got so far through the process before recognizing that it's a scam. And I consider myself pretty security conscious (e.g. I use TOTP everywhere, password manager, keep credit bureaus frozen, etc). I guess they got my info from a breach somewhere because they knew my name, my username (to be fair, I used it everywhere), and the bank I use (could've gotten lucky). I have since changed most of my usernames to be random, so hopefully I'll be more safe going forward.
Anyway, stay on your guard, it can happen to you.
As someone tech literate that looks hilarious to follow through with.
But if not, that really does seem similar to a normal captcha with fairly simple steps.
Kinda brilliant to disguise malware as a captcha, though. I won’t be surprised.
That’s so sassy I kinda respect it.
Too bad for those who fall for it.
Instructions were unclear, ransomware dev now owes me 0.15 bitcoin.
Anybody got more info on the actual payload?
powershell.exe -eC [payload_w_base64]is mentioned here.-eCjust means encoded command afaik.diabolical
We now need a "verify you are a captcha" mechanism to counter this.
ah, think this is like one of those survey scams.
I wish more people knew what Run... did, but the Ctrl + v should be a little more obvious. We need to teach more computer literacy if you don't immediately know that means you're copying text to something.
Especially on a shady site, mind you. But then again, this could be on a phishing email, so that's not always the case I guess. (I got one from "STARBUCKS" that Gmail didn't catch, their spam filter has been shit lately, blocking my work emails but letting through a lot of sus stuff).
Just reported by Mohamed Aruham on Twitter
The oldest tweets I could find that actually started reporting this are from ~16 days ago.
https://x.com/Piotrdotcom/status/1829126494574067992
They reference a page here that was posted on Aug 29th.
General rule of thumb for me to interact with a website and read or watch whatever I want .... if you require me to do more than two things to show me the content I came to see, I'm closing the tab or windows and moving on.
If it's really important and security related, I'll take my time and carefully examine everything I do.
Otherwise I'm not clicking more than twice and definitely not using my keyboard to see your dumb website or TikTok video.
Failed to execute child process: "calc.exe" (No such file or directory).. hehe
Thats why on Linux you need to run the sudo command and type the root password (or user password) to install something. I get this isn't Linux but its a serious security vulnerability that someone could run a super user level command by clicking yes on a confirmation box that pops up so often that nobody thinks twice.
