In recent months, a concerning phishing technique has emerged. This technique exploits users' familiarity with CAPTCHA security checks and abuses the routine of confirming them. Users are misled into performing actions that lead to the installation of malware, such as the Lumma Stealer.
How does this attack work?
Users are presented with a seemingly legitimate CAPTCHA verification with the message 'I am not a robot'. After clicking, a pop-up window appears with instructions asking the user to perform the following actions:
- Press the Windows key + R: This opens the Windows 'Run' dialog box.
- Press Ctrl + V: This pastes a pre-copied PowerShell command into the dialog box.
- Press Enter: This executes the pasted command, resulting in the download and installation of malware.
The effectiveness of this attach lies in how it exploits users' automatic behavior when performing routine tasks. CAPTCHAs are often seen as standard procedures, making users less alert to potential threats. By having the user execute the command themselves, the attacker bypasses traditional security measures that detect suspicious downloads or executions.
Protection measures
To prevent this attack, organizations and users can take the following measures:
- Be vigilant with unusual CAPTCHA instructions:
Legitimate CAPTCHAs will never ask to execute system commands like opening the 'Run' dialog box.
- Use up-to-date security software:
Ensure antivirus and anti-malware software is current and provides real-time protection.
- Limit or disable PowerShell:
For users who do not need PowerShell, limiting or disabling it can provide an extra layer of security.
- Enable Constrained Language Mode (CLM) for PowerShell:
This blocks dangerous functions like IEX and IRM, which are often used in such attacks.
- Block the Win+R 'Run' window:
This prevents users from accidentally executing malicious commands via the 'Run' menu.
- Provide awareness training by ethical hackers:
WhiteHats security experts can conduct training to make employees more aware of such attacks and teach them to recognize suspicious situations more quickly.
