Fake "I’m not a robot" CAPTCHAs might cost you your bitcoin

Criminals have added another deceptive technique in an attempt to steal their victims’ crypto assets. This time, they're using fake CAPTCHAs.

The "I’m not a robot" click might be the most dangerous thing you do today, cybersecurity firm DNSFilter said. It shared its findings on how criminals are using fake CAPTCHA pages to deliver the fileless malware Lumma Stealer.

Researchers at the company found that after this fake CAPTCHA was interacted with 23 times on the DNSFilter network over a three-day period, 17% of the targeted people were tricked into downloading the malware.

Potential victims were shown a fake CAPTCHA prompt stating that there was a network error and their verification failed. The prompt gives instructions on how to "solve" this while silently launching the Lumma Stealer payload.

The fake CAPTCHA was first found on an undisclosed Greek banking site.

"Two other domains were associated with the malicious CAPTCHA: a brand-new Cloudflare Pages site (Human-verify-7u.pages.dev) that loads with an error message after clicking 'I’m not a robot,' and Recaptcha-manual.shop, which loads outside of the browser after following the prompted commands," the researchers said.

Once the Lumma Stealer is successfully loaded, it steals everything it can, from browser-stored passwords and saved two-factor authentication tokens to crypto wallet data and password-manager vaults.

This campaign was discovered by Matthew Chambers, founder of FixFinder, a security-focused managed service provider, when he encountered an ordinary-looking CAPTCHA prompt, which was followed by a single, subdued alert from RocketCyber, a managed security operations center (SOC) platform.

"On a quiet dashboard, benign can be the scariest word in the world. If the SOC isn’t sure, I assume the worst," Chambers was quoted as saying.

Meanwhile, according to DNSFilter, SentinelOne, an AI-powered cybersecurity solution, showed no detections, the mail-security logs were clean, and the analyst whose laptop triggered the event hadn’t noticed anything amiss. However, filtering the DNS logs helped identify queries classified as "Very New," "Uncategorized," and "Malware" requests.