Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
As if CAPTCHAs weren’t already perplexing enough (what if every square contains a bus?!)—now some of the human-verifying site tools come with malware.
Security researchers see at least a little cleverness in the threat actors’ recent corruption of a common, trusted site feature, and common keyboard commands.
“It’s weaponizing copy-and-paste, but it works,” John Hammond, principal security researcher at cybersecurity company Huntress, told IT Brew.
How it works. In September, Hammond shared his security operations team’s discovery of coded commands seeming “to come from absolutely nowhere,” according to a team notification shared in Hammond’s YouTube presentation.
An investigation of a targeted user’s browser history found an initial online redirect (an ad or popup, Hammond guessed), leading to a static page hosting a fake CAPTCHA, team notes read. “Verify that you are human,” the false CAPTCHA asks.
A user clicking “I am not a robot” then gets two instructions:
- Press the Windows button + R
- Press Control + V
Following these “verification steps” may show you’re human indeed—in a “to err” kinda way.
“Windows button + R” leads to a Run window and “Control + V” pastes a loaded, encoded PowerShell command leading to information-stealing malware.
Command and control. Palo Alto noted this attack on August 28, citing how the copy-and-paste trickery led to Lumma Stealer, malware known to collect browser data like credentials, cookies, and autofill info.
Proofpoint noted similar copy-and-scam tactics as early as March 2024, when the cybersecurity company observed threat actors using phony warnings of a necessary browser update—one that could be performed with keyboard shortcuts, which resulted in malware.
Paul Michaud II, team lead for Palo Alto’s managed threat hunting team, recommends Group Policy configuration to limit the usage of native tools like PowerShell, adding that the scam tactic endangers organizations allowing access to corporate systems from personal devices.
“Since personal devices don’t have the same security controls and lack visibility, if a user falls for this and the malware is successful in execution, it could lead to credential theft which could provide access to corporate systems,” Michaud wrote in an email to IT Brew.
Stat! The average cost of a breach when attackers used compromised credentials, according to IBM’s “Cost of a Data Breach” report, released in July 2024: $4.81 million
Website profiler BuiltWith measured 234,340 detections of CAPTCHA in the top 1 million sites (as of Sept. 24).
A lead comment on Hammond’s YouTube demo page, said: “I could definitely see people falling for this. The fatigue among users encountering CAPTCHAs is real.“