When you visit a webpage, you might see a CAPTCHA to make sure you’re a real person and not a bot. These usually involve jumbled words, some recognizable images or just a box that says, “I am not a robot.” 

CAPTCHAs are harmless, but hackers are now using them to infect your PC with malware.

Security researchers have found a huge fake CAPTCHA campaign spreading the dangerous Lumma info-stealer malware, which can bypass security measures like Safe Browsing.

This campaign shows how malvertising works, with more than a million ad impressions every day and thousands of victims losing their accounts and money through a network of more than 3,000 sites. I’ll break down how this scam works, who’s responsible and how you can protect yourself.

GET SECURITY ALERTS, EXPERT TIPS – SIGN UP FOR KURT’S NEWSLETTER – THE CYBERGUY REPORT HERE

How does the scam work?

As reported by Guardio, the fake CAPTCHA scam is a sophisticated malvertising campaign that lures you into unknowingly installing malware under the guise of routine CAPTCHA verification. The cyberattack starts when you’re browsing websites, often those offering free streaming, downloads or pirated content. These sites are used by hackers to present you with what appears to be a legitimate CAPTCHA verification page.

WHAT IS ARTIFICIAL INTELLIGENCE (AI)?

The page mimics a real CAPTCHA, asking you to confirm you are human. However, the instructions are designed to trick you into initiating harmful actions, like triggering the Windows “Run” dialog. Users unknowingly paste and execute a crafted PowerShell command, which silently installs the Lumma info-stealer malware onto their system.

The malware targets sensitive data, including social media accounts, banking credentials, saved passwords and personal files, potentially leading to financial and identity theft.

Illustration of fake CAPTCHA (Guardio)

HERE’S WHAT RUTHLESS HACKERS STOLE FROM 110 MILLION AT&T CUSTOMERS

Who’s to blame for this?

The fake CAPTCHA scam shows how messy the internet’s ad system has become, with everyone involved passing the buck. Guardio Labs points to ad networks like Monetag as a big part of the problem. They distribute malicious ads that are disguised during moderation using tricks like cloaking. Publishers, especially those offering free or pirated content, add to the issue by running these shady ads on their sites, often without checking what they’re actually showing users.

Then there are services like BeMob, which lets scammers hide their bad links behind harmless-looking URLs. These companies call themselves analytics tools, but they’re helping the scams stay hidden. Hosting providers don’t escape blame either. They’re where these fake CAPTCHA pages live, and they often don’t bother to check what’s being hosted.

Of course, the scammers themselves are the ones pulling the strings. But because they spread their operations across so many platforms, they’re almost impossible to track down. Guardio’s research shows how all these moving parts work together, creating a system where no one takes responsibility, and the scams keep running.

Illustration of a scammer at work (Kurt “CyberGuy” Knutsson)

BEWARE OF ENCRYPTED PDFs AS LATEST TRICK TO DELIVER MALWARE TO YOU

6 ways to stay safe from fake CAPTCHAs

1. Use reliable security software: Keeping your antivirus and anti-malware software up to date is one of the most effective ways to protect yourself from fake CAPTCHA scams. A strong antivirus software will detect and block malware like the Lumma info-stealer before it can infect your device. Get my picks for the best 2024 antivirus protection winners for your Windows, Mac, Android and iOS devices.

2. Enable browser protection features: Modern browsers offer built-in security features, such as Safe Browsing and phishing protection, which warn you about potentially dangerous sites. Make sure these features are enabled in your browser settings. These tools can alert you to malicious links or fake CAPTCHAs trying to trick you into downloading malware.

3. Be cautious with “free” content: There’s a saying that goes, “If something is free, you’re what they are selling.” Websites that offer free downloads, streaming services or pirated content are often associated with malvertising campaigns. Fake CAPTCHA scams are commonly spread through these types of sites, where users are tricked into clicking on malicious ads or links. Even if a site seems tempting, it’s important to be cautious. Avoid clicking on suspicious links or using “free” services, as they could be traps designed to infect your device with malware.

4. Avoid clicking on suspicious ads: Always be wary of ads that appear out of nowhere or seem too good to be true. Fake CAPTCHA scams often disguise themselves as legitimate ads, asking you to click to verify you’re human. Never interact with pop-up ads or unfamiliar banners, especially those that claim to give you something for free, as they may lead to malicious pages or trigger malware downloads. Get my picks for the best 2024 antivirus protection winners for your Windows, Mac, Android and iOS devices.

5. Check for HTTPS and look for signs of a legitimate site: Before entering any personal information or interacting with a CAPTCHA, ensure that the website is secure. Look for “https://” in the website’s URL, which indicates the connection is encrypted. Legitimate websites also tend to have a professional appearance, so if something feels off or the design looks poor, trust your instincts and leave the site.

6. Enable two-factor authentication: Two-factor authentication adds an extra layer of security, making it harder for attackers to access your accounts. 

WHAT TO DO IF YOUR BANK ACCOUNT IS HACKED

Kurt’s key takeaway

There’s no question that fake CAPTCHA scams are a growing threat, putting millions of us at risk of malware infections and financial loss. What’s even more concerning is that ad networks, publishers and hosting services continue to allow malicious campaigns to spread through their platforms despite the widespread awareness of the problem. The companies involved must take immediate action to improve content moderation, tighten security measures and prevent these scams from thriving. We are seeing a dangerous loophole in the digital advertising ecosystem that could have serious consequences for internet users.

Do you think ad networks and publishers should be held accountable for the spread of malware through their platforms? Let us know by writing us at Cyberguy.com/Contact.

For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter.

Ask Kurt a question or let us know what stories you’d like us to cover.

Follow Kurt on his social channels:

Answers to the most asked CyberGuy questions:

New from Kurt:

Copyright 2024 CyberGuy.com. All rights reserved.