There is a sneaky new technique to get malware onto your system; attackers are now creating fake CAPTCHA pages to trick you into running commands that will compromise your device.
You’re probably familiar with CAPTCHA challenges. Websites use them to distinguish humans from bots, often with a “verify you are human” checkbox or a task like making you select all the bicycles in the squares. But recently, attackers have been creating fake CAPTCHA challenges that trick you into running malicious commands instead.
These fake CAPTCHA pages appear on ordinary websites that have been hacked, or illegitimate websites pushed through ads.
Example of fake CAPTCHA steps:
- Press Win + R (this opens the Run dialog box);
- Press CTRL + V (the website places text into the clipboard – invisible to you – and this step pastes the contents from the clipboard into the text field of the Run box);
- Press Enter (this executes the code you pasted into the Run box, and downloads the malware).
How to recognize a fake CAPTCHA:
- Legitimate CAPTCHA will NEVER ask you to copy/paste text or run commands on your system
- Legitimate CAPTCHA will NEVER ask you to login, send payment, or ask for other sensitive informatio
- As a general rule, do not execute any commands given by websites, especially those pretending to be fixes or CAPTCHAs.
If you think you encounter a fake CAPTCHA page, close your web browser. Do not interact with the website. Then, report the fake CAPTCHA to cybersecurity@ufv.ca or submit a ticket to the IT Service Desk.
Comments are closed.