Using CAPTCHA for Compromise: Hackers Flip the Script

CAPTCHA is an important anti-fraud tool that usually protects websites from bot-based attacks such as brute forces and password sprays. In this capacity, they are not only useful, but essential. However, that has made exposure to CAPTCHAs routine, and anything that is routine is potentially useable by threat actors as an attack vector. The CAPTCHA is a situation in which users faithfully heed instructions from a website, and there are ways for an illegitimate actor to harness that. This begins with impersonation: threat actors typically create a CAPTCHA page impersonating one of the common services, such as Google or Cloudflare.

There are several ways a fake CAPTCHA page can be abused. The most common is to create a sense of authenticity on a fraudulent phishing website: a user will feel less suspicious of a website if it has apparent security measures on it, and may be more likely to login with their credentials. A more brazen attempt, utilized by some threat actors, tricks the user into running a malicious script on their PC. The method is simple: first, the website secretly copies a malicious command into the target user’s clipboard through JavaScript code. Then, the website puts out a fake CAPTCHA that instructs the user to verify they are human by opening a command prompt, pressing ctrl-V, and pressing enter. One would hope this is so obviously an attempt to install malware that nobody would fall for it, but since CAPTCHA often instructs a user to perform apparently meaningless tasks, this might fall under that umbrella for some uninformed users. Although this method seems dodgy, it is being used by very high-level threat groups, such as the sophisticated APT28 group. According to a report from CERT-UA, APT 28 has been using fake CAPTCHA attacks with some success to compromise local governments. One can hope that if these attacks become more ubiquitous, more people will be aware that it can happen, making the attacks less effective.

‍