Security researchers are raising alarms about a surge in cyberattacks using fake CAPTCHA verification pages to spread malware. These deceptive tactics have seen a dramatic rise in recent months, with thousands of users falling victim to the scams.
Rising Numbers
"We have seen more of these fake captchas every single day," reports Ray Canzanese, director of Netskope Threat Labs. His team observed thousands of users encountering these malicious pages in January alone, with February trending toward similar numbers.
ReliaQuest, another cybersecurity firm, noted almost a 200% increase in these attacks between October and early December 2024, followed by another doubling of incidents since then.
How The Scam Works
The attack typically begins when an employee receives what appears to be a legitimate email or text directing them to a website. Upon visiting the site, users encounter a fake "Verify You Are Human" prompt. However, instead of standard CAPTCHA tests like identifying images, victims are instructed to copy and paste scripts or use keyboard commands that ultimately download malware.
Recent variations have become more sophisticated, disguising malicious code as innocent verification messages complete with emojis to appear more trustworthy. Some scams impersonate trusted brands like CloudFlare to boost credibility.
Prevention Measures
Security experts recommend several key steps to protect against these attacks:
- Train employees to never paste commands into their computers
- Restrict PowerShell access to necessary personnel only
- Disable the Windows Run command for regular users
- Implement phishing-resistant two-factor authentication
- Use endpoint detection solutions to block malicious scripts
- Disable browser password saving features
"Because it was fairly successful infecting people, more attack groups started using these techniques," explains Michal Salat from Gen Digital. The trend shows no signs of slowing, with new variations emerging regularly.
Organizations are advised to stay vigilant and ensure their security awareness training addresses these evolving threats.