We’re more likely to trust a website if it has a CAPTCHA, as it gives us a feeling of professionalism. Unfortunately, bad agents know this and have created fake CAPTCHAs that will infect your PC with malware.
How Malicious Agents Are Using CAPTCHAs in the Real World
As reported by McAfee, scammers are now using CAPTCHAs against people by adding them to malicious websites. When someone goes to use the website, the fake CAPTCHA pops up, making the user believe they’ve entered a safe and secure website.
In the example McAfee analyzed, the attack begins when someone is browsing Google to pirate a video game. They can either be looking for a crack for a game or the full executable itself. Either way, the scammer sets up a website claiming to have what the user seeks but is actually set up to download malware on the victim’s PC. This is one of the real security dangers of downloading pirated games.
When the victim visits the malicious site, it shows the user a fake CAPTCHA. This looks very similar to the CAPTCHAs you see on legitimate websites, so there’s a good chance it doesn’t sound any alarm bells in people’s minds. When the user tries to verify themselves, the website informs them that they have to perform one more step to gain access to the website. It simply tells people to press Win + R, followed by CTRL + V, and finally hit Enter.
This seems like a strange list of instructions, but there’s a good reason why it asks you to do this. When the user clicks the CAPTCHA’s “I’m not a robot” button, the website loads a malicious PowerShell script onto their clipboard. It can’t run on its own, so the website tells the user to press Win + R to open Run, CTRL + V to paste the malicious command, and then press Enter to run it.
By using PowerShell to download malware, it can easily sneak past any antiviruses or security checks set up on your PC. The code downloads Lumma Stealer, which then begins stealing personal information from the target device.
How to Avoid the CAPTCHA Trick
The best way to avoid this trick is to never blindly trust a security measure. Always take into account the website you’re on and the context of the security tool before you follow any instructions; it may be trying to lead you astray.
At the very least, a CAPTCHA will never ask you to download a file or run a command on your PC. If they want further verification, they’ll usually ask for a puzzle—you’ve likely already seen the ones where you identify the images with a bus on them or slide a puzzle piece into the correct place. If a CAPTCHA asks you to do something on your PC, there’s a very good chance it’s malicious.
With scammers always trying to find ways to sneak their malware onto your system, there’s no end to the tricky tactics they’ll use to fool you. Keep an eye out for bad CAPTCHAs and you should be safe from this nasty attack.
