New phishing technique uses fake CAPTCHA to deploy malware

A new phishing technique has been added to the array: mimicking the CAPTCHA user verification system. Scammers ask for simple key combinations to be performed, leading an unsuspecting user to install malware on their computer.

The website Sekurak, among others, warns about this new scam method and the impersonation of the CAPTCHA system. A user may land on a page where a familiar window asks for confirmation that the user is human. In genuine cases, we typically encounter a single button with the text "I'm not a robot," a puzzle piece that needs to be matched to an image, or (in the oldest version) selecting pictures that do not match the others. Here, however, it is different.

The fake CAPTCHA system version suggests that user confirmation will be possible after performing a simple instruction—pressing the combinations Win+R, Win+V, and the Enter key in sequence. In practice, this is a recipe for launching a malicious script placed in the system clipboard, which the victim will then unknowingly activate. The web browser will not warn in any way that malicious code has entered the clipboard. Fake software will then be downloaded to the computer.

According to Sekurak, after running the script, one can expect the download of an info stealer, although the forms of attack may vary depending on the specific case. The conclusion, however, is the same—the user is unaware that malware is operating on their computer, which can steal files, data, or read screen contents, potentially leading to the theft of email, social media, or online banking login data.