Proving you're not a robot online can be really annoying, but now it can also be quite dangerous as hackers have devised a new way to use seemingly harmless CAPTCHAs in their attacks.
A Completely Automated Public Turing Test to tell Computers and Humans Apart (or a CAPTCHA for short) is a security measure you’ve likely come across countless times online. Websites use these tests to determine if you’re an actual human user or a bot sent to crawl a particular page.
By typing out the letters you see in a picture, the website is able to verify that you are actually human. You may have also come across a reCAPTCHA before, which is an evolution of the traditional CAPTCHA that has you do something like pick out which images in a grid contain bicycles.
Now, hackers have come up with a new way to weaponize reCAPTCHAs to hijack your computer’s clipboard and get you to install info-stealing malware on your own PC. Here’s everything you need to know about this new verification attack along with some tips and tricks to help you avoid malicious sites spreading malware and other viruses.
Clipboard hijacking
In a new blog post, Malwarebytes explains that while these verification attacks were first aimed at individuals in targeted companies, they’ve since become more popular and now just about anyone can run into one of them online.
This attack usually starts when an unsuspecting user visits a site that promises movies, music, pictures, news articles or some other form of popular content. Since we often have to verify we’re human on legitimate websites, most people wouldn’t think twice when asked to do so, which makes this attack very easy to fall for if you don’t know what to look out for.
After you navigate to one of the malicious sites used in this attack, you’re greeted with the same “I’m not a robot” text with a checkbox next to it. However, if an unsuspecting user does click on this checkbox, they’re forwarded a message with additional verification steps they need to complete.
As seen in the screenshot above captured by Malwarebytes, the message tells visitors to press and hold the Windows Key + R, then to press Ctrl + V in the verification window and finally to press Enter to finish.
These steps may look harmless to the untrained eye but if you carry them out in their entirety, you’ll infect your own computer with malware. This is because in the background, the malicious site copies a command to your clipboard and by pressing Windows Key + R, you’re opening a Run dialog box on your computer. By hitting Enter at the end, you inadvertently run a command that has your computer download and then install an executable.
Based on Malwarebytes’ observations, both the Lumma Stealer malware and the SecTopRat have been installed onto victim’s PCs in this way. As its name suggests, Lumma Stealer is an infostealer that steals data from your browser, two-factor authentication (2FA) codes to take over your accounts and funds from any cryptowallets installed on your computer. SecTopRat on the other hand is a remote access trojan with similar capabilities.
How to stay safe from sites spreading malware
The first and easiest way to avoid falling victim to a verification attack like the one described above is to be extra wary when a site asks you to complete a CAPTCHA or a reCAPTCHA.
Doing so is quite common on big name sites with lots of visitors but most smaller sites don’t make you go through a verification process. If they do though, remember what you’ve learned here and if something looks fishy or out of place, don’t proceed with verification. This is especially true when a site asks you to do something out of the ordinary in order to access it. Finding motorcycles in a grid of pictures is one thing, but using keyboard shortcuts is something you definitely want to avoid.
Since this attack method tries to infect your PC with info-stealing malware, you want to make sure that your devices are protected with the best antivirus software. Likewise, you may also want to install and use a browser extension that can detect and block malicious sites and other scams.
There is another option to avoid these attacks altogether but it comes with a major caveat. Since clipboard access is triggered by a JavaScript function in this type of attack, you could disable JavaScript altogether. Unfortunately, this will break many of the websites you regularly visit.
If you do want to pursue this ‘nuclear option’ though, Malwarebytes has step by step instructions on how to disable JavaScript in Chrome, Edge, Firefox and even Opera at the bottom of its blog post. However, as this will seriously impact usability across the web, I wouldn’t recommend it.
Cybersecurity is often like a game of cat and mouse where companies come up with a security measure like CAPTCHAs or reCAPTCHAs and then cybercriminals devise a way to use this in their attacks.
This is why you always need to be extra careful online while keeping yourself up to date on the latest scams and attacks. If you do this and practice good cyber hygiene overall, you should be safe from ending up with a malware infection.
More from Tom's Guide
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
