NOTE: This newsletter is auto-translated by a machine using translation software so we appreciate your patience with any inaccuracies.

Cybersecurity Tip for June 2025

 

TO READ IN ANOTHER LANGUAGE, CLICK HERE!

Don't Click That! The Rise of Fake CAPTCHA Attacks

This hijacking technique can be easy to miss: What you should know

That CAPTCHA may not be what it seems

CAPTCHA, which stands for “Completely Automated Public Turing test to tell Computers and Humans Apart,” is a common security tool widely used to make sure that website users are human, and not bots, to help prevent suspicious activity. But hackers know people think that responding to CAPTCHAs is just a necessary requirement, and therefore not naturally inclined to question the steps they’re asked to take. That’s why hackers today are creating fake CAPTCHAs to manipulate users to gain access to their sensitive data. 

Spot the scam

Instructions may appear via these fake CAPTCHAs that, if followed, will run malware, while the user remains unaware. Below is a photo of a malicious CAPTCHA. When verifying that you are human within a website, know that you should never be asked to copy and paste anything, as this example shows. A trusted CAPTCHA will instead ask you to complete a simple task, like identifying objects in images or typing distorted text. 

Example of a fake CAPTCHA that asks the user to paste a command into the “Run” menu one that will ultimately allow the hacker to gain access to the user’s PC and sensitive data.

A real-world BW case study

In March 2025, a BW team member was targeted with a fake CAPTCHA, followed the instructions to copy and run a malicious command, and the attacker gained access to sensitive information on their computer. Fortunately, our IT Security team was able to isolate the problem and mitigate the damage. 

  • The fake CAPTCHA technique is very effective, increasing the likelihood that users will unknowingly engage with malicious content.
  • Fake CAPTCHAs prey on people’s desire to be helpful and independent when navigating the internet, security warnings and updates. 

Steps you can take

  • Do not follow any instructions, such as pasting and running commands from untrusted sources or suspicious CAPTCHAs or pop-ups. 
  • Any time you notice something unusual on a website, close the browser immediately to prevent further interactions with the possibly malicious site.
  • Be cautious fake CAPTCHAs may be used out of context, ask for excessive personal information, have spelling errors and more. 
  • Report the incident to your IT Service Desk.

Source:

Madjar, Tommy, and Selena Larson. “Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape.” Proofpoint, November 18, 2024. https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape

Thank you for doing your part to help keep our network and your information safe!

View Archive
Copyright © Barry-Wehmiller Companies