A few weeks ago, we reported a study alleging that CAPTCHA does not deter bots and that Google merely uses it to collect and sell data. This week, HP Wolf Security researchers have launched a new complaint against CAPTCHA in the latest edition of the HP Threat Insights Report. This time, however, the complaint has nothing to do with Google; instead, it’s about threat actors who infect victims’ devices with malware by tricking them into engaging in fake CAPTCHA challenges.

With the CAPTCHA Me If You Can Attack, victims are tricked with fake CAPTCHAs. After clicking the challenge, the system would make it appear as though it wasn’t convinced that the user is human. Users will then be referred to a malicious website where they can complete more difficult human verification tasks. While completing this challenge, hackers wait in ambush with their malware traps. Cybercriminals have designed these traps to manipulate victims into executing a malicious PowerShell script, which victims will most likely execute unconsciously. The result? A Lumma Stealer remote access trojan (RAT) is installed allowing hackers to steal personal information, credentials, banking details, and other vital information.
HP also revealed that cybercriminals are launching a series of end-user webcams and microphone surveillance attacks, and many users are falling victim. After users are tricked into compromising their devices, attackers can record videos and snap pictures through victims’ webcams and microphones. It was also reported that during these attacks, malicious actors use phishing or other social engineering tricks to lure victims into activating macros in Word and Excel documents. This eventually helps attackers gain unwarranted privileges on users’ devices.

Image: HP Wolf Security
The report exposed how malicious actors compromise devices with malicious PDFs and Python script attacks. Bad actors embed malicious JavaScript codes in vector SVG files to do this. The HP Threat Insights Report published more details about how these attacks are carried out and how to avoid them.

Global Head of Security at HP, Dr Ian Pratt, recommended that users and individuals shrink “their attack surface by isolating risky actions – such as clicking on things that could harm them. That way, they don’t need to predict the next attack; they’re already protected.”
This report reinforces the fact that bad actors will stop at nothing to carry out their illicit motives. However, with extra caution, users can be in control and avoid their ever-evolving traps.