It seemed odd to me that a Web site could write to or read from the clipboard without the user approving it. That would be a pretty obvious security and privacy issue. From what I gather, on Chrome sites can write to the clipboard without approval, but they need approval to read. ~~On Firefox and others any access requires permission. Thus this exploit seems limited to Chrome users.~~

@SkaveRat pointed out that it doesn't require permission, only interaction. So likely there's a button that's clicked that writes to the clipboard, and most browsers are susceptible to this.

That's a sneaky one.

This is actually pretty smart because it switches the context of the action. Most intermediate users avoid clicking random executables by instinct but this is different enough that it doesn't immediately trigger that association and response.

This reminds of when I was 13 I used to tell my opponents in Warcraft 3 that pessing alt+q+q quickly reveals the map. It's a shortcut for closing the game. Worked way to many times

I do see this working

So inventive these guys. If only we could harness that ingenuity for the common good instead, it would have a huge impact.

I almost fell for an unrelated scam just a couple months ago. Basically, I was on vacation visiting family, had just gotten a new phone (w/ GrapheneOS, so it didn't have Google's network of spam detection), and was out and about at the time. Here's how it went down:

1. received text earlier that day saying that my CC was used for an unauthorized purchase (happens a couple times/year)
2. got a call from someone claiming to be my bank (not one of the popular chains like Chase or whatever)
3. caller asked me to verify myself through text code, and I didn't read the text message carefully and provided it (later inspection showed that it was a password reset code)
4. after going through some (fake) recent transactions, I told them they all sounded fraudulent (they were on the other side of the country)
5. they asked me to confirm myself again through another code to finalize, at which point I told them they don't need a second code since I already proved my identity, and they hung up

I immediately went to go reset my password and found I was locked out, so I called my bank. They confirmed that my account had been automatically locked for suspicion of fraud (good job!!) and confirmed what I suspected, the scammer had reset my password (first code) and was attempting to add an external account (second code). Had I given them that second code, they likely would have been able to submit the transfer and it would've been a giant headache to try to get that money back.

I didn't lose anything and I immediately improved the security on my account, but I felt like an idiot for letting them get that far. I had also recently consolidated my other accounts to this one, so this would've been a big blow. They changed my account numbers, I changed my username and password, and they held my account for a week or so to ensure everything was good. This bank is one of the few that actually cares about security, so I set up voice recognition (they said they track it anyway, this just turns on an extra feature) and Symantec VIP (I prefer my regular TOTP app, but they don't support that).

I don't think it'll happen to me again, but I was still surprised that I got so far through the process before recognizing that it's a scam. And I consider myself pretty security conscious (e.g. I use TOTP everywhere, password manager, keep credit bureaus frozen, etc). I guess they got my info from a breach somewhere because they knew my name, my username (to be fair, I used it everywhere), and the bank I use (could've gotten lucky). I have since changed most of my usernames to be random, so hopefully I'll be more safe going forward.

Anyway, stay on your guard, it can happen to you.

Kinda brilliant to disguise malware as a captcha, though. I won’t be surprised.

As someone tech literate that looks hilarious to follow through with.

But if not, that really does seem similar to a normal captcha with fairly simple steps.

Usually I warn my 81 year old dad about these scams. Don't think I need to worry about this one, he wouldn't be tech savvy enough to find the windows button

That’s so sassy I kinda respect it.

Too bad for those who fall for it.

Instructions were unclear, ransomware dev now owes me 0.15 bitcoin.

/s no I wouldn't actually implement it

That’s going to catch some people, especially older ones.

Wouldn't it require elevation?

Yet another example of why running as root/admin is a Bad Idea©

I cant believe they made captcha that only works on windows

its not working, my krunner bind is windows+d

I tried it and it's not working for me, my terminal is super+T and paste is Ctrl+Shift+V

ah, think this is like one of those survey scams.

I wish more people knew what Run... did, but the Ctrl + v should be a little more obvious. We need to teach more computer literacy if you don't immediately know that means you're copying text to something.

Especially on a shady site, mind you. But then again, this could be on a phishing email, so that's not always the case I guess. (I got one from "STARBUCKS" that Gmail didn't catch, their spam filter has been shit lately, blocking my work emails but letting through a lot of sus stuff).