Fake CAPTCHA pages are tricking users into installing malware

It seems we now have something new to worry about when browsing the web. Windows Central reports that hackers have discovered a new security vulnerability in Windows that allows them to install malware on your computer through fake CAPTCHA pages.

Hackers use fake CAPTCHA pages, designed to mimic standard security controls, to trick users into installing malware (“Stealthy StealC Information Stealer”) via keyboard commands.

Similar to another CAPTCHA attack from last year, users are asked to press the button Windows key + R shortcut (which launches the Windows Run prompt), followed by Ctrl+V (which pastes a malicious command into the Run prompt), then Enter (which executes the malicious command). Experienced Windows users should immediately notice something is wrong when a page asks you to open the Windows run prompt and paste something using the shortcut action.

What ends up happening is that the fake CAPTCHA page loads a PowerShell command into your Windows clipboard, which is then executed when you follow the instructions. This PowerShell command downloads malware without you realizing it.

Security experts at Level Blue recently wrote that the new attack could be used to access login credentials for web browsers, Outlook, Steam accounts, and cryptocurrency wallets, among other things.