UPDATE, January 28, 2025: This story, first published on January 27, has been up to date to come up with an additional mitigation recommendation to save some other victim from the latest attack via Captcha Hack.
With password theft hack attacks firmly in the threat actor crosshairs, and those cybercriminals coming up with ever increasingly cunning attack methods to help them, this latest warning from security experts needs to be taken very seriously indeed by Windows users. Those CAPTCHA tests to prove you are human and not a bot are not only annoying as heck, but they can be dangerous. Here’s why you must not complete this particular CAPTCHA test if it is presented to you.
The use of Captcha checks (meaning an absolutely automated public check to distinguish computers and humans, in case you’ve wondered) through risk actors is not new; On October 26, 2024, I pointed out how a Russian hacking organization targeted Ukrainian patients who employed a malicious edit of the Google Recaptcha discussion “I’m not a robot. “
At the time, I said that technology such as Apple’s server-based automatic verification system to bypass completing CAPTCHA tests manually for iOS users, along with a propensity towards using browser extensions that also help to defeat the things, meant that fewer are seen day to day. The problem being that fewer and none are not the same thing, and when confronted with a CAPTCHA we are likely more inclined to complete it as quickly as possible and move on to wherever we were trying to get. Especially when you consider that the anti-bot mechanism itself, partly now because it isn’t seen so often, has become cloaked in even more trust than when we faced them every five minutes.
The new caution comes from Leandro Fróes, an important engineer of Risk Studies of Netskope Threat Labs, and confirms a new crusade of risks that supply Lumma Stealer malware capable of greedy its passwords and other delicate data. “The crusade is global,” said Fróes, pointing to patients in “Argentina, Colombia, the United States, the Philippines and other countries of the world. ” This is not for the commercial sector to be attacked, with everything, physical care, banking services, marketing and the telecommunications industry in the grid until now.
The conclusions of Netkope’s risk laboratory report were:
With it being Data Privacy Week, Matt Cooke, a cybersecurity strategist at Proofpoint, has reminded us that data doesn’t lose itself, but rather a majority of data loss originates with people. This new CAPTCHA campaign is a cautionary tale of how this reliance on persuading people to do things they really shouldn’t works in favor of the attacker. Victim blaming is not something I am in the habit of doing, as I’m not sure what it achieves other than turning people against the security community, which is as counter-productive as it gets. However, according to Cooke, his internal statistics show that “39% of U.K. organizations suffered a loss of sensitive data in the past 12 months, with 69% of European CISOs agreeing that employees were responsible for these incidents due to risky actions such as misdirecting emails, clicking phishing links, installing unauthorized software, and emailing sensitive data to a personal account.” Those numbers are hard to ignore, but for me, they mean that the system is failing and not the individual: we must all do better, in other words. What is required, Cooke said, is that “a human-centric approach to data security is needed to effectively respond,” and this should bring together “an understanding of data classification, user intent and threat context,” which is applied consistently across all communications channels. That, I’ll admit, is something I cannot argue against. However, there are also some immediate mitigations that don’t require such a strategic change to help prevent the ongoing CAPTCHA attacks
In the current campaign, the fake CAPTCHA instructs the user to open the Windows Run window by pressing Windows+R, pasting the clipboard’s content in the run window using CTRL+V, and then pressing ENTER to execute it. “This specific sequence is essential for the successful execution of the next stage,” Fróes said, “and it only works in Windows environments.” Which brings me to the most apparent mitigation: asking yourself when have you ever been asked to do something like that before when completing a CAPTCHA? Seriously, don’t be that trustworthy. Not all threats require sophisticated AI-driven attack methods, most still just use trickery to get you infected. Take your time, think about what you are being asked to do, and make a sensible decision.
A community. Many voices. Create a lazy account to pry your thoughts.
Our network is attached to other people through open and considered conversations. We need our readers to prove their reviews and exchange concepts and made in a space.
To do so, stay in the publication regulations in the terms of use of our site. We have summarized some of those key regulations below. In other words, keep it civil.
Your message will be rejected if we realize that it turns out to contain:
The user accounts will block if we realize or that users are compromised:
So how can you be a difficult user?
Thanks for reading our network directives. Read the complete list of publication regulations discovered the situations of use of our site.