If any error message or identity challenge puzzle pops up onscreen, beware of instructions to launch a PowerShell window for solutions
While browsing the web, people may unknowingly click on an ad that invisibly covers the entire screen, redirecting them to a fake CAPTCHA page or a fake Chrome browser error message that leads to malicious containing Infostealers.
Between September and Oct 2024, one cybersecurity firm recorded over 140,000 encounters across Latin America, Africa, the Middle East, and Asia involving such malicious ads, and more than 20,000 users (gamers, visitors to file-sharing services, web applications, bookmaker portals, adult content pages, anime communities, and other channels) had been redirected to fake pages hosting malicious scripts.
Earlier this year, there were reports of attackers distributing the Lumma infostealer using fake CAPTCHAs, primarily targeting gamers who had been lured into clicking on an ad that covered the entire screen. When users clicked the “I’m not a robot” button, an encoded Windows PowerShell command was copied to their PC’s clipboard. Victims were then prompted to paste the clipboard content into the terminal box and press Enter, inadvertently downloading and launching Lumma.
The malware would then scour the device storage for cryptocurrency-related files, cookies, and password manager data, or even traverse the webpages of various e-commerce platforms repeatedly to boost the latter’s view counts for financial gain.
Subsequent waves of such full-screen malicious ads launched a fake error message masquerading as a Chrome browser error that prompted the user to click on a button containing a “fix” to the error. In reality, the user was being instructed to copy and paste a preformed encoded Windows PowerShell instruction to download and execute malicious code. According to Vasily Kolesnikov, Security Expert, Kaspersky, the firm unveiled the recent cyber tactic: “Now users can be lured away by either a fake CAPTCHA prompt or a Chrome webpage error message, falling victim to a stealer with new functionalities. Corporate users and individuals should exercise caution and think critically before following any suspicious prompts that they see online.”