FakeCaptcha scams—When the “I’m not a robot” button is a trap

Nyrmah J. Reina 17 Dec 2024

Before you prove your humanity to a pop up, make sure you’re not accidentally downloading malware.

How many times you’ve clicked the “I’m not a robot” CAPTCHA checkbox without a second thought? We’ve all done it … countless times. It’s such a familiar step that we don’t question it. And, cybercriminals have taken note of that.  

Enter FakeCaptcha: this malicious tool is designed to mimic real CAPTCHAs while quietly setting you up for infection. It’s a crafty scam that turns our online habits against us. 

Let's unpack this scam and learn what precautions to take.

How do FakeCaptcha scams work? 

It starts innocently enough. You land on a compromised website or malicious page, and a CAPTCHA pops up, asking you to prove you’re not a bot.  

Nothing unusual, right? But here’s what could happen: 

The Click: You click “I’m not a robot,” believing it’s a legitimate security measure. 

A screenshot of a computer

Description automatically generated

The Trap: A malicious script is quietly copied to your clipboard. 

The Instructions: You’re prompted to paste and run the script under the guise of completing the verification process.

 A close-up of a window

Description automatically generated

The Malware: Once executed, the script acts as a dropper, silently downloading malware onto your system. 

The malware of choice usually deployed in these attacks is Lumma Stealer, a sophisticated information thief capable of stealing passwords, financial data, and personal information. 

Why is FakeCaptcha so dangerous? 

The danger lies in its familiarity. CAPTCHAs are everywhere. We’ve clicked them so many times that we don’t hesitate when we see one. Cybercriminals weaponize this routine behavior to avoid suspicion and guide you to install malware onto your own system. 

The attack feels interactive—after all, you’re the one running the script. And that’s part of the trick: completing the action yourself may help lower your guard even further.  

And this scheme is working. In Q3/2024, our researchers observed a significant rise in FakeCaptcha campaigns. These attacks are part of a growing trend where scammers manipulate people’s actions to deliver malware.  

Behind the scenes, the consequences can be serious: a compromised system and data theft. With that, attackers would get what they need to exploit your personal or financial information. But don't fret! There are precautions you can take to help protect yourself and stay cyber safe.  

How to help protect yourself against FakeCaptcha scams 

The good news? There are simple yet effective ways to help keep you safe from FakeCaptcha: 

  • Question the unusual. If a CAPTCHA appears on a site that doesn’t typically require one or asks you to perform additional steps like running scripts, stop immediately. 
  • Never follow manual instructions. Legitimate CAPTCHAs won’t ask you to copy-paste or run scripts. If they do, it’s a red flag. 
  • Stay informed. Knowing how scams like FakeCaptcha work helps you recognize red flags before falling for them. 

Keep the FakeCaptcha at bay

FakeCaptcha is proof that cybercriminals are willing to exploit even the most routine parts of our online lives. The next time you’re asked to prove you’re “not a robot,” think twice. If something feels off, trust your instincts—because staying cautious could be the difference between a harmless click and a malware nightmare. Stay safe!

 

--> -->