A new cybersecurity threat has recently come to light in which hackers use reCAPTCHA to trick users into infecting their devices with malware. If you aren’t already aware, reCAPTCHA is a service powered by Google that protects websites from spam and abuse by detecting and weeding out bots. The service distinguishes humans from bots by asking questions that should only be able to be answered by humans. Fun fact, CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and Humans Apart.” This security measure has several different versions, including checking the “I’m not a robot” box, identifying which images in a grid contain traffic signals, solving puzzles, typing out the letters seen in an image, and more.
The reCAPTCHA service has been fairly effective and convenient, and usually provides and quick and easy solution for preventing bot activity on websites. However, hackers have recently started using what you would typically deem harmless CAPTCHAs in their attacks. Using reCAPTCHAs, hackers have figured out how to hijack your computer’s clipboard and get you to accidentally install malware on your device. The attack usually starts when a user unknowingly visits a malicious, fraudulent website that usually promotes something widespread and popular like music, movies, new articles, and so on. The website will ask you to verify that you are not a robot, like many other sites do, making the attack easy to fall for and difficult to detect.
Once the user checks the box to verify that they are not a robot, they are automatically redirected to another page with additional verification steps for them to complete. These additional steps instruct the user to hold the Windows Key + R, then to press Ctrl + V, and then to press Enter to finish. To an untrained individual, these actions would seem harmless – just more steps to prove that there is an actual person sitting at the computer and keyboard. However, they are actually activating commands on your computer which will then allow the website to install malware on your computer. The malware that is installed can then steal your data, lock up your device, or be used to complete other unwanted, unauthorized tasks.
The easiest way to avoid falling victim to this attack is to be wary of what sites you visit and what activities you engage in on those sites. This attack stems from an already fraudulent website, so it is important to avoid these websites in the first place, if at all possible. Usually they are easy to spot– websites with “http” instead of “https” at the beginning, poor design or spelling errors, deals that are too good to be true, no contact information, locations, or reviews, etc. are all likely to be found on malicious sites. Additionally, if you are completing a reCAPTCHA element and something seems fishy, don’t complete the verification. The reCAPTCHA prompts are pretty standard, so if they seem out of the ordinary, they may very well be fraudulent.
Read our previous post here: The Risks of Using Remote Desktop Protocol
