We’ve all become used to completing tests to prove we’re not robots, but a new report from HP Wolf Security highlights the rising use of fake CAPTCHA verification tests which allow threat actors to trick users into infecting themselves.
The technique shows attackers are capitalizing on people’s increasing familiarity with completing multiple authentication steps online — a trend HP describes as ‘click tolerance’.
As bots get better at bypassing CAPTCHAs, authentication has grown more elaborate — meaning users have become more accustomed to jumping through hoops to prove they’re human. HP threat researchers identified multiple campaigns where attackers crafted malicious CAPTCHAs.
In one example users were directed to attacker-controlled sites, and prompted to complete a range of fake authentication challenges. Victims were tricked into running a malicious PowerShell command on their PC that ultimately installed the Lumma Stealer remote access trojan (RAT).
Another campaign has seen attackers spreading an open source RAT, XenoRAT, with advanced surveillance features such as microphone and webcam capture. Using social engineering techniques to convince users to enable macros in Word and Excel documents, attackers could control devices, exfiltrate data, and log keystrokes
Patrick Schläpfer, principal threat researcher in the HP Security Lab, says, “A common thread across these campaigns is the use of obfuscation and anti-analysis techniques to slow down investigations. Even simple but effective defence evasion techniques can delay the detection and response of security operations teams, making it harder to contain an intrusion. By using methods like direct system calls, attackers make it tougher for security tools to catch malicious activity, giving them more time to operate undetected — and compromise victims endpoints.”
Attackers have also been identified delivering malicious JavaScript code inside Scalable Vector Graphic (SVG) images to evade detection. These images are opened by default in web browsers and execute the embedded code to deploy payloads including RATs and infostealers, offering redundancy and monetization opportunities for the attacker.
“Multi-step authentication is now the norm, which is increasing our ‘click tolerance.’ The research shows users will take multiple steps along an infection chain, really underscoring the shortcomings of cyber awareness training,” says Dr. Ian Pratt, global head of security for personal systems at HP. “Organizations are in an arms race with attackers — one that AI will only accelerate. To combat increasingly unpredictable threats, organizations should focus on shrinking their attack surface by isolating risky actions — such as clicking on things that could harm them. That way, they don’t need to predict the next attack; they’re already protected.”
The full report is available from the HP site.
Image credit: Georgejmclittle/Dreamstime.com
