Alarm as attackers turn to fake CAPTCHA to plant malware

The report by technology firm HP suggests that potential victims are now being directed to websites controlled by attackers, where they are prompted to complete a series of verification steps that, if followed, lead to users running malicious commands on their computers.

“In these campaigns, threat actors first set up malicious websites. We’ve seen attackers rely on cloud hosting providers that give away free credits to new users – providing, in many cases, enough resources to run a malware campaign,” observes HP in the report.

“Hosting on legitimate cloud hosting services helps attackers circumvent detection because the IP addresses and domains are often reputable, enabling threat actors to bypass network security like web proxies that rely on web reputation.”

In the survey conducted in the final quarter of last year, HP notes that most users were lured to a fake CAPTCHA site through web advertising, search engine optimisation (SEO) hijacking, or redirects from other compromised websites.

“When the user loads the website, they’re shown a CAPTCHA that prompts them to perform a series of tasks to verify that they are human. If the user performs the tasks, they end up running malicious code on their PC,” the report states.

The firm also notes that more than half (53 percent) of endpoints threats during the quarter were delivered via email, making it the most popular threat infection vector, followed by web browser downloads at 27 percent.

Threats delivered through other vectors, such as removable media, accounted for 20 percent.

“Enterprises are most vulnerable from users opening email attachments, clicking on hyperlinks in emails, and downloading files from the web,” the firm wrote.

According to local industry experts, web users are commonly redirected to fake CAPTCHA pages through two main attack pathways – downloading cracked gaming software and phishing and impersonation emails.

“Users attempting to download pirated or cracked versions of gaming software have more likelihood of being redirected to malicious CAPTCHA pages,” said Samuel Gathirwa, lead web developer at GIT Software Solutions.

“When users search the web spaces for free or cracked versions of popular video games, they are likely to encounter online forums, community posts, or public repositories that redirect them to malicious links,” he adds.

On phishing emails, the techie says that fake emails are sent to users asking them to address non-existent security vulnerabilities, with attached links leading them to similar fake CAPTCHA pages.

To mitigate fake CAPTCHA social engineering attacks, the HP report recommends that customers configure their deployments to disable clipboard sharing, adding that if users do not need access to the Windows Run Prompt, administrators can disable the feature through Group Policy.

Read: Industry leaders decry widening shortage of cloud security engineers

For her part, Nairobi-based software engineer Sera Seiyanoi urges organisations and individuals to exercise caution when encountering unexpected verification prompts, in addition to implementing robust security awareness and deploying advanced endpoint protection solutions that can detect anomalous user behaviours.

“Encourage users to avoid clicking on unfamiliar links and to verify any unexpected or suspicious requests for system actions, particularly those that require interacting with the system’s registry or running commands,” she advises.

“Organisations should also implement security training focusing on how to identify phishing pages, fake security checks, and avoiding downloading or executing unfamiliar scripts.”

Other recommended mitigations include using web filtering solutions to block known malicious sites, ensuring that all browsers have updated anti-phishing features, as well as disabling programming language execution on suspicious or unknown sites.

→ [email protected]