{"id":2033,"date":"2025-02-20T21:13:50","date_gmt":"2025-02-20T21:13:50","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2033"},"modified":"2025-02-20T21:13:50","modified_gmt":"2025-02-20T21:13:50","slug":"fake-captcha-attacks-are-increasing-say-experts","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2033","title":{"rendered":"Fake captcha attacks are increasing, say experts"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Several cybersecurity firms have published alerts about threat actors fooling customer employees into downloading malware through fake captcha login verification pages.<\/p>\n<p>Captchas are those annoying tests that websites add to login routines to make sure users are real people and not automated bots. Making a user type in a random number shown in a popup, or click on a series of boxes that show specified pictures is activity that a bot can\u2019t perform.<\/p>\n<p>But while defenders have been warned, threat actors continue to use fake captchas to spread malware, apparently because it\u2019s still a successful tactic.<\/p>\n<p>\u201cI expect we\u2019re going to continue to see this throughout the year,\u201d Ray Canzanese, director of Netskope Threat Labs, said in an interview Thursday. The goal, his company <a href=\"https:\/\/www.netskope.com\/blog\/lumma-stealer-fake-captchas-new-techniques-to-evade-detection\">said in a warning<\/a> published last month, is to spread Lumma Stealer information stealing <a href=\"https:\/\/www.csoonline.com\/article\/565999\/what-is-malware-viruses-worms-trojans-and-beyond.html\">malware<\/a>.<\/p>\n<p>\u201cWe have seen more of these fake captchas ever single day,\u201d he said. \u201cThere is not a weekday that goes by so far this year where we haven\u2019t see someone who ends up on one of these fake pages. We\u2019re talking thousands of people in the month of January. I think we\u2019re going to top thousands in February as well.\u201d<\/p>\n<p>As for why it\u2019s still being used after CISOs have been alerted, Canzanese\u00a0noted that threat actors don\u2019t have to be successful every time with a tactic \u2013 just often enough to make it worthwhile.<\/p>\n<p>Alex Caparo, a cyber threat intelligence analyst at ReliaQuest, said his firm <a href=\"https:\/\/www.reliaquest.com\/blog\/using-captcha-for-compromise\/\">put out a warning<\/a> in December because of the volume of incidents seen by customers. \u201cWe started seeing them in early September of 2024. Between October and early December we saw almost a 2X increase in these attacks in our environment \u2013 and a doubling again of that number since then,\u201d he said Thursday.<\/p>\n<p>In fact, he said, one of his firm\u2019s customers faced an attempt to use the fake captcha tactic earlier this week.<\/p>\n<p>It doesn\u2019t help, he added, that security researchers \u2013 some legitimate, some not \u2013 soon published templates on developer sites like GitHub that threat actors eagerly copied.<\/p>\n<h2 class=\"wp-block-heading\">How the scam works<\/h2>\n<p>Typically, the recent captcha scams try to trick an employee into copying and pasting a malicious script into their Windows PCs.<\/p>\n<p>It often starts with an employee getting an email or text from what looks like a trustworthy source asking them to go to a website related to their company\u2019s business. For example, the message to a developer may say, \u2018We have detected a security vulnerability in your repository,\u2019 and asks the target to click on a supposed GitHub link.<\/p>\n<p>However, an individual may also stumble across an infected website after doing an internet search for an application update or instruction manual.<\/p>\n<p>What happens next is the website throws up a box saying something like \u201cVerify You Are Human.\u201d But instead of asking the target to click on a series of photos or type in a number, the target is instructed to copy a [malicious] script or, in a more recent version of the scam, press the Windows button on their keyboards plus the letter R. That triggers Windows Run capability. The target next has to press CTRL+V, which pastes the script into the Run dialogue, and press Enter, executing it.<\/p>\n<p>A variation shows a window that pops up saying \u2018Verification Failed.\u2019 The user is told that, to solve the problem, they have to copy and execute a script or install a so-called root certificate.<\/p>\n<p>Sometimes the verification page is labelled \u201cCloudFlare,\u201d in hopes of convincing the target of the legitimacy of what they\u2019re being asked to do by using a trusted brand name.<\/p>\n<p>Whatever the ruse, the script itself is a malicious PowerShell command to contact a command-and-control server, which eventually sends the Lumma Stealer or other malware to the user\u2019s computer.<\/p>\n<p>In short, the goal is to get the employee to download the malware themself, rather than the attacker putting it in place.<\/p>\n<p>\u201cWe have seen serious development [of the tactic] since September,\u201d said Michal Salat, head of threat intelligence at Gen Digital, owner of the Norton, Avast, AVG and other cybersecurity brands. \u201cOriginally it started with simple scripts, [and] continued with many different tactics to make it look more legitimate. Because it was fairly successful infecting people, more attack groups started using these techniques. We not only saw more sophistication, but also saw the spread to other malware strains or distribution chains.\u201d<\/p>\n<p>Gen Digital <a href=\"https:\/\/www.gendigital.com\/blog\/insights\/research\/global-surge-in-fake-captcha-attacks\">blogged about this tactic<\/a> last September.<\/p>\n<p>The latest trick is to change the script to be pasted from computer code \u2014 which might look suspicious \u2014 into a verification sentence with a smiley emoji or a checkmark, to dupe the user into thinking they\u2019re doing the right thing.<\/p>\n<h2 class=\"wp-block-heading\">Advice for CISOs<\/h2>\n<p>Canzanese and Caparo offer the following advice to CISOs to mitigate the threat:<\/p>\n<p>Include warnings of this tactic in regular employee security awareness training. In some ways, the advice to staff is simple: Always refuse requests to paste commands into your computer. And remind employees to tell their families look out for this kind of scam. Consumers will encounter it when hunting for cracked\/hacked commercial software that they want to get for free, or while looking for YouTube tutorials.<\/p>\n<p>Monitor the use of PowerShell. In most organizations only a small number of employees should be allowed to access PowerShell.<\/p>\n<p>Windows administrators should restrict the use of the Windows Run command to only those who need it, says Caparo. Set up a group policy under User Configuration\/Administrative Templates\/Start Menu and Task bar, and find the option that says \u201cRemove Run menu from Start Menu. <br \/>\u201cIf you apply that policy on non-administrator and non development machines, it should stop regular users from being able to run malware using this specific technique,\u201d he said,<\/p>\n<p>Disable the ability of browsers on employee PCs to save passwords. ReliaQuest notes that this helps protect against infostealers that swallow up stored credentials.<\/p>\n<p>Enable phishing-resistant two-factor authentication in case credentials are stolen.<\/p>\n<p>Use an <a href=\"https:\/\/www.csoonline.com\/article\/653052\/how-to-pick-the-best-endpoint-detection-and-response-solution.html\">endpoint detection and response (EDR) solution<\/a> to detect malware and block malicious scripts.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Several cybersecurity firms have published alerts about threat actors fooling customer employees into downloading malware through fake captcha login verification pages. Captchas are those annoying tests that websites add to login routines to make sure users are real people and not automated bots. Making a user type in a random number shown in a popup, [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":2018,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2033","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2033"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2033"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2033\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2018"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2033"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2033"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2033"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}