Watch Out for Fake CAPTCHA Tests

CAPTCHA tests have been a cornerstone of internet security for years. They pop up often, when websites want to confirm you are not a bot. The tests themselves vary, but there’s only one important rule to follow when it comes to them: Make sure the test is actually legitimate.

As reported by Microsoft’s security team, there is now a social engineering attack which impersonates CAPTCHA puzzles to trick users into running malicious scripts. When users come across “ClickFix,” the “CAPTCHA” instructs them to hit Windows/Super key and R, followed by Control and V, then finally by Enter. This combination does not prove one is a human, rather than a robot. Instead, it opens the Windows Run prompt, pastes a malicious string of code the attacker added to the target’s clipboard, and executes the command.

Microsoft says ClickFix attacks are becoming more common, affecting “thousands of enterprise and end-user devices globally every day.” For example, attackers targeted hospitality vendors, claiming negative reviews on Booking.com. But in actuality, the link lead to a malicious ClickFix CAPTCHA challenge.

How to protect yourself from fake CAPTCHAs

The first step is to know the difference between real and fake CAPTCHAs. Real CAPTCHAs do come in many varieties, from typing a set of characters, to matching puzzle pieces. But ClickFix CAPTCHAs ask you to execute an odd series of keystrokes. Don’t fall for it.

In addition, Microsoft’s security team recommends a number of technical steps, including the following:

• Using PowerShell script blocking logging and execution polities.
• Enabling Windows Terminal warnings that you see when pasting multiple lines
• Turning on app control policies to prevent executive of native binaries via the Run command.
• Deploying a group policy to remove the Run command from the Start menu.