CAPTCHA—short for “Completely Automated Public Turing test to tell Computers and Humans Apart”—is a form of verification online that helps distinguish human users from bots on login, account sign-up, and e-commerce checkout pages. If you can correctly a series of identify distorted letters or all of the photos that include objects like stop signs to prove you are not a robot, you are permitted to interact with the site or app.
But just because CAPTCHA and reCAPTCHA tests are ubiquitous doesn’t mean they’re always innocuous. Internet users are accustomed to engaging with CAPTCHA without much thought, so naturally, cybercriminals have found ways to spoof these tests for spreading malware.
How fake CAPTCHA websites deliver malware
CAPTCHA scams utilize a social engineering tactic known as ClickFix to trick users into downloading and installing malicious programs that gain remote access, log keystrokes, or steal data from your device. When you engage with a fake CAPTCHA, you allow the malicious website to copy a command to your clipboard and deliver a payload in the process.
As Malwarebytes Labs describes, these CAPTCHA attacks are often initiated when users attempt to access popular content—such as movies, music, or news stories—though malicious links may also be distributed via phishing emails or malvertising. A CAPTCHA pop-up appears asking you to confirm you’re not a robot, after which you are forwarded to another CAPTCHA screen with verification steps that include a series of keystrokes. If you follow the instructions, you’ll execute a PowerShell script that downloads and installs the malware.
I’ve covered a few iterations of this scheme: In one, threat actors spoofed Booking.com to install a backdoor Remote Access Tool (RAT), giving them remote control of victims’ machines. In another, repurposed Discord invite links were leveraged to deliver infostealers and keyloggers, compromising user credentials. ClickFix has also popped up in AI-generated TikTok videos containing verbal instructions for activating software features.
While many ClickFix attacks have targeted Windows users, researchers have recently identified a variation that uses fake CAPTCHA to install Atomic macOS Stealer on Apple devices.
How to prevent a CAPTCHA scam
While plenty of CAPTCHA and reCAPTCHA verification prompts are legitimate, anything that includes instructions—pressing a combination of keys or executing a Run command on your device—certainly is not. Trustworthy CAPTCHAs won’t direct you to download software or extensions.
Be wary of CAPTCHA forms from sources and sites you don’t know and trust, and never follow directions in these pop-ups without thinking. Attackers are exploiting “verification fatigue,” which has users clicking through something as routine as CAPTCHA so quickly that they don’t notice red flags.
Malwarebytes Labs also recommends disabling JavaScript in your browser, which prevents malicious websites from accessing your clipboard. While this is useful for enhancing security and privacy online, it will also break some functions on websites you visit, making them essentially unusable. You could do this only when browsing pages you don’t know or trust.
