New cyber campaign targets PC users with fake CAPTCHAs and browser errors

A CAPTCHA is a security feature used on websites and in apps to verify whether a user is human or an automated program or bot. Earlier this year, there were reports of attackers distributing the Lumma stealer using fake CAPTCHAs, primarily targeting gamers. When browsing gaming websites, users were lured into clicking on an ad that covered the entire screen. They were redirected to a fake CAPTCHA page with instructions below the prompt tricking them into downloading the stealer. When users clicked the I'm not a robot button, an encoded Windows PowerShell command was copied to their PC’s clipboard. They were then prompted to paste it into the terminal box and press Enter, inadvertently downloading and launching Lumma. The malware searched for cryptocurrency-related files, cookies, and password manager data on the victim's device. It also visited the webpages of various e-commerce platforms, boosting their view counts, giving the attackers additional financial gain.

A fake CAPTCHA with malicious instructions

In the new wave of the attacks, Kaspersky researchers identified another attack scenario in which, instead of a CAPTCHA, a webpage error message is displayed, styled to look like a service message in the Chrome web browser. The attackers instruct the user "copied the fix" into the terminal window (the fix being the same malicious PowerShell command as described above).

A fake message mimicking Google Chrome

"Kaspersky discovered that the new wave of the attack targets not only gamers, but other groups, and is distributed through file-sharing services, web applications, bookmaker portals, adult content pages, anime communities, and other channels. The attackers also use the Amadey Trojan in this wave of the attack – like Lumma, it steals credentials from popular browsers and cryptocurrency wallets, but it can also take screenshots, obtain credentials for remote access services, and download a remote access tool to the victim’s device, allowing the attackers to gain full access.“Attackers bought some advertising slots, and if a user gets to see this ad and click on it, they are redirected to malicious resources, which is a common attack tactic. The new wave of this campaign involves a significantly expanded distribution network and the introduction of a new attack scenario that reaches more victims. Now users can be lured away by either a fake CAPTCHA prompt or a Chrome webpage error message, falling victim to a stealer with new functionalities. Corporate users and individuals should exercise caution and think critically before following any suspicious prompts that they see online,” comments Vasily Kolesnikov, Security Expert at Kaspersky.

Read more on Securelist.

To block threats related to stealers, follow the recommendations below.

Businesses:

• check if the credentials for your company’s devices or web applications have been compromised by stealers on the dedicated Kaspersky Digital Footprint Intelligence landing page;
• use a dedicated security solution such as Kaspersky Endpoint Security for Business with application and web control; behavior analysis helps quickly detect malicious activity;
• look into boosting your employees’ digital literacy to minimize the cyber risks from the human side by using an online tool that offers comprehensive cyber trainings for staff.

Individuals:

• use a comprehensive security solution, such as Kaspersky Premium, on all of your devices, to prevent opening suspicious pages or phishing emails;
• use Kaspersky Password Manager to store your passwords securely.