Beware of Fake CAPTCHA that Initiates Malware

Beth Varcho | January 13, 2025

You are probably familiar with CAPTCHA security challenges that enable websites to distinguish between humans and bots by asking visitors to type in characters or select the correct objects in an image. Recently scammers began distributing malware through fake CAPTCHAs by adding so-called “verification steps.” The fake CAPTCHAs can be found on any ordinary website through ads accepted by the site or by other compromised content.

The threat actor tricks website visitors into executing malicious code on their device by following the instructions in the fake CAPTCHA. This code downloads and executes malware that can steal passwords, cookies, and cryptocurrency wallet details from a user’s device.  The so-called “verification steps” can include:

  • Press Win + R (this opens the Run dialog box);
  • Press CTRL + V (this pastes the line from the clipboard into the text field);
  • Press Enter (this executes the code).

The fake CAPTCHAs can be found on any ordinary website through ads accepted by the site or by other compromised content. To protect yourself from malware threats, be cautious of suspicious CAPTCHA pages. If anything on the CAPTCHA page seems out of place or unusual, it is best to avoid interacting with it. Above all, do not follow instructions like those show above.

Protect yourself from fake CAPTCHA pages

Legitimate CAPTCHA pages are usually found on websites that require user verification, such as login or account creation pages. Simply visiting a site with CAPTCHA or clicking the “Verify you are human checkbox” will not install malware. Here’s what to watch out for:

  • Avoid anything suspicious: Be cautious of CAPTCHA pages that appear on unexpected websites or in applications, especially if they have extra verification steps. The run dialog (Windows Key + R) should rarely be used, and a website should never need you to run commands using this method.
  • Verify Websites: Always check the website's URL to ensure it is legitimate.
  • Keep Tech Updated: Keep your software and operating system up to date and patch vulnerabilities that could be exploited by malware.

If you interacted with a fake CAPTCHA online, please email security@osu.edu with details.