CAPTCHAs, or Completely Automated Public Turing tests, are widely used online to verify that users are human rather than bots.
They typically present challenges like “distorted text,” “image recognition tasks,” or “audio prompts” that require human cognitive skills to solve.
Recently, cybersecurity analysts at SecureWorks warned of fake verify you are a human request that delivers malware.
In September 2024, Secureworks incident responders uncovered two cases where users searching Google for video streaming services were directed to malicious websites.
One victim searched for sports streaming sites, while another looked for movie streaming options.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration
Both were redirected to a deceptive URL that prompted them to prove they were human by pressing specific key combinations:-
- “Windows + R” to open the Run menu
- CTRL + V” to paste an encoded PowerShell command
- “Enter” to execute it
This action triggered the download of a ZIP archive containing malware, which was extracted to AppDataLocalTempfileSetup.exe on the victim’s computer.
The malware then executed additional tools, including a renamed BitTorrent application (StrCmp.exe) and a Windows utility called Search Indexer.
SecureWorks CTU researchers identified that this attack method was used to deploy information-stealing malware, specifically variants known as Vidar and StealC, which are designed to harvest sensitive data from infected systems.
This cyber attack poses a significant risk by evading the “browser security controls,” and they do so by exploiting a “fake human verification” prompt to open a command prompt on the victim’s computer.
The attacker then directs the user to execute unauthorized code, and also deploy malware like the “LummaC2 infostealer.”
This global campaign has been noted in other regions, such as the Middle East, Australia, and France, with reports occurring from May 2024 to September 2024.
The use of infostealers has increased since 2023, especially by cybercriminals targeting several credentials for different services and the company networks.
The purchased accounts, stolen user accounts, and passwords appear on black markets such as ‘Russian Market’ on the internet like “hot-cakes” from the moment they are collected.
Organizations should be particularly cautious about employees using corporate systems to access streaming services or other high-risk content, as these may be targeted by phishing campaigns leveraging this attack method.
Recommendations
To mitigate this threat, cybersecurity experts recommend:-
- Implement strict browsing policies.
- Conduct regular social engineering training.
- Make sure to use web proxies.
- Employ available security controls to restrict access.
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try It for Free