Skip to main content

New cyber campaign targets PC users with fake CAPTCHAs and browser errors

October 30, 2024

A new wave of the malicious campaign that is spread through web ads and aimed at Windows PC users was discovered by Kaspersky. While browsing the web, users may unknowingly click on an ad that invisibly covers the entire screen, redirecting them to a fake CAPTCHA page or a fake Chrome error message that prompts them to follow steps to download stealers. Kaspersky’s telemetry recorded over 140,000 encounters with these malicious ads in September and October 2024, and more than 20,000 users were redirected to the fake pages hosting malicious scripts. This threat was encountered by users in many regions, including LATAM, Africa, the Middle East, and Asia. To stay safe, experts advise users to exercise caution and avoid following suspicious prompts for action online.

A CAPTCHA is a security feature used on websites and in apps to verify whether a user is human or an automated program or bot. Earlier this year, there were reports of attackers distributing the Lumma stealer using fake CAPTCHAs, primarily targeting gamers. When browsing gaming websites, users were lured into clicking on an ad that covered the entire screen. They were redirected to a fake CAPTCHA page with instructions below the prompt tricking them into downloading the stealer. When users clicked the I'm not a robot button, an encoded Windows PowerShell command was copied to their PC’s clipboard. They were then prompted to paste it into the terminal box and press Enter, inadvertently downloading and launching Lumma. The malware searched for cryptocurrency-related files, cookies, and password manager data on the victim's device. It also visited the webpages of various e-commerce platforms, boosting their view counts, giving the attackers additional financial gain.

A fake CAPTCHA with malicious instructions A fake CAPTCHA with malicious instructions

In the new wave of the attacks, Kaspersky researchers identified another attack scenario in which, instead of a CAPTCHA, a webpage error message is displayed, styled to look like a service message in the Chrome web browser. The attackers instruct the user "copied the fix" into the terminal window (the fix being the same malicious PowerShell command as described above).

A fake message mimicking Google Chrome

A fake message mimicking Google Chrome

Kaspersky discovered that the new wave of the attack targets not only gamers, but other groups, and is distributed through file-sharing services, web applications, bookmaker portals, adult content pages, anime communities, and other channels. The attackers also use the Amadey Trojan in this wave of the attack – like Lumma, it steals credentials from popular browsers and cryptocurrency wallets, but it can also take screenshots, obtain credentials for remote access services, and download a remote access tool to the victim’s device, allowing the attackers to gain full access.

“Attackers bought some advertising slots, and if a user gets to see this ad and click on it, they are redirected to malicious resources, which is a common attack tactic. The new wave of this campaign involves a significantly expanded distribution network and the introduction of a new attack scenario that reaches more victims. Now users can be lured away by either a fake CAPTCHA prompt or a Chrome webpage error message, falling victim to a stealer with new functionalities. Corporate users and individuals should exercise caution and think critically before following any suspicious prompts that they see online,” comments Vasily Kolesnikov, Security Expert at Kaspersky.

Read more on Securelist.

To block threats related to stealers, follow the recommendations below.

Businesses:

  • check if the credentials for your company’s devices or web applications have been compromised by stealers on the dedicated Kaspersky Digital Footprint Intelligence landing page;
  • use a dedicated security solution such as Kaspersky Endpoint Security for Business with application and web control; behavior analysis helps quickly detect malicious activity;
  • look into boosting your employees’ digital literacy to minimize the cyber risks from the human side by using an online tool that offers comprehensive cyber trainings for staff.

Individuals:

New cyber campaign targets PC users with fake CAPTCHAs and browser errors

A new wave of the malicious campaign that is spread through web ads and aimed at Windows PC users was discovered by Kaspersky. While browsing the web, users may unknowingly click on an ad that invisibly covers the entire screen, redirecting them to a fake CAPTCHA page or a fake Chrome error message that prompts them to follow steps to download stealers. Kaspersky’s telemetry recorded over 140,000 encounters with these malicious ads in September and October 2024, and more than 20,000 users were redirected to the fake pages hosting malicious scripts. This threat was encountered by users in many regions, including LATAM, Africa, the Middle East, and Asia. To stay safe, experts advise users to exercise caution and avoid following suspicious prompts for action online.
Kaspersky logo

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help over 200,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Related Articles Press Releases