Cyber Snapshot
FAKE RECAPCHA ATTACKS
Several times a day, robots on websites ask humans to verify
that they are not a robot by clicking on a checkbox, and the most
common version of this prompt is the Google reCAPTCHA.
Because this is such a common occurrence, threat actors are
now using fake CAPTCHA in their attack methodology.
Websites still show the original prompt that users are used to
seeing, but they are also prompted to press a series of
keystrokes (usually involving WIN+R, CTRL+V, and Enter) to
prove that they are human. This allows the website to execute a
command on the workstation, usually a remote PowerShell
script, to download malware from an external website and
execute it on the workstation.
Fake CAPTCHA prompts have been found on websites that
users may trust and use regularly, such as local news websites.
Some threat actors have purchased advertisement space from
advertising networks used frequently by trusted websites which
their targets may frequent. Generally, the advertising network
will not review the advertising content shown, allowing for
malicious ads to be shared through the advertising network.
These malicious ads force the trusted website to redirect to a
malicious website when displayed, prompting the user with the
fake CAPTCHA.
Compromised users have reported to the MC3 that they believed the trusted website was asking
them to prove they were not a robot, so they thought nothing about doing what was requested.
To avoid detection, the fake CAPTCHA is only shown to a limited number of users (usually over
a pre-determined period of time, or a certain number of times per day for a given geographic
region). This means that the website owner is usually not aware of an issue stemming from
their website. Even if the website owner wants to investigate a complaint from a visitor, they are
generally unable to replicate the issue. The MC3 has reached out to several website owners
and found that many are reluctant to remove advertising network content from their website due
to potential loss of revenue.
This document is the property of the Michigan Cyber Command Center (MC3) and is prepared for the limited purpose of information sharing. The information is designated
UNCLASSIFIED – TLP: CLEAR. Information found within this document can be shared without restriction. This document must not be reclassified in any way, in whole or in part.
Violation of this restriction will be cause for removal from MC3 distribution lists.
[email protected] 1-877-MI-CYBER www.michigan.gov/mc3 Page 1 of 1
Cyber Snapshot
Exploring and Assessing Current Topics MICHIGAN CYBER COMMAND CENTER (MC3)
Recommendations:
• The WIN+R (Run), WIN+S (Search), and WIN+X (Power User Task Menu) shortcuts are
often only used by power users within your organization. Use registry settings or group
policy to disable these shortcut keys on your normal user workstations.
• Malware utilizing PowerShell will generally attempt to mask its functionality using two
built-in alias functions: iex (Invoke Expression) and ii (Invoke Item). Removing these
aliases at the user profile level for workstations which do not commonly run PowerShell
commands may interrupt some malware from functioning properly.
• Setting the PowerShell execution policy to “Restricted” or “AllSigned” through group
policy, will limit unknown script execution and prevent the user from accidentally running
an unsigned script.
• Most malicious domains are registered for less than a month before they are used for a
malicious purpose. If your web filtering or anti-malware software permits blocking
outbound access to websites based on the age of the domain, this can be an effective
method to prevent your users from reaching potentially malicious content.