Podcasts
Research Saturday
Ep 394
Research Saturday 9.20.25
Ep 394 | 9.20.25

Browser attacks without downloads.

Show Notes
Transcript

[ Music ]

Dave Bittner: Hello everyone, and welcome to the CyberWire's "Research Saturday." I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly-evolving cyberspace. Thanks for joining us. [ Music ]

 

Nati Tal: This type of attack is trying to fool the visitors of the website, to do something that they're used to do like updating their browser, in the early phases, with technical fake, or in this case, solving a CAPTCHA. We are all so used to do that, so we are doing it once again, but in this case we are being fooled into doing something quite malicious, in this case running the attacker's code on our system.

 

Dave Bittner: That's Nati Tal, head of Guardio Labs. The research we're discussing today is about CAPTCHAgeddon, unmasking the viral evolution of the ClickFix browser-based threat. [ Music ] Can you walk us through how the attack actually works?

 

Nati Tal: Yeah, so, as you all know, CAPTCHA's suddenly popping up on your screen, and asking you to solve a puzzle or select where you see the traffic lights, or busses, and stuff like that. And this one is actually quite the same. You get this CAPTCHA screen out of the blue. It can be when you enter a new site or just as a popup, which was the case in early ages of this attack. A popup from some kind of advertisement, and you see this CAPTCHA, and you say to yourself, okay, I need to solve it. In this case, when you click on the Verify You are Human, you are asked to do something a bit different than usual, which is a bunch of keyword - or keyboard shortcuts you needs to click, and then you are providing you are a human, but in this case you are actually lured into running this type of code that was copied to your clipboard in the background without you even knowing, and when you click on those buttons, you actually open up the Run window in your Windows system. You paste that malicious code into it and press Enter to execute it. So you think that everything is okay, but actually you just executed some malicious code that is now going and downloading, probably an info stealer that is now being installed on your system, gathering all the information about you, about your browser, your credentials, your bank account, everything, sending it out to the attackers, and that's it. It's all done in a matter of milliseconds, actually. And you move on, and everything is okay. You didn't even know that this was happening in the background.

 

Dave Bittner: Hmm. Help me understand here, when the CAPTCHA initially pops up, am I visiting a legitimate website that has been compromised?

 

Nati Tal: Interesting question, because this - the propagation method of this type of attacks evolved during the past year and a half. It started off mostly in what we call malvertising. You enter those websites, content website, mostly on the gray side, gray area of streaming websites or download websites. And you are kind of used to get those annoying new tabs and popups with different types of advertisements, and this type of propagation was used by the attackers to pop up a new CAPTCHA tab on your system. Instead of some kind of creative about the new product, you suddenly see this CAPTCHA. And because you're already visiting a website and you just click on something, and you get a CAPTCHA, it looks legit, in a way, because you're used to get the CAPTCHA in this kind of flow. And this is where it all started, and because getting those types of clicks, or pay for them with malvertising, is the quick way in for the attackers. They paid a box and they get visitors clicking on those CAPTCHAs. They are suddenly popping out on their screens. This is the easy way in, and they kind of use this method to kick it off and to see how effective it is. And because it was so effective, the narrative of a CAPTCHA window, they decided in the next evolution of this attack to get out of those more low-level malvertising websites, because usually the visitors of those websites are not the most, you know, the best types of victims they want. They want people with money.

 

Dave Bittner: [Laughter].

 

Nati Tal: People with, you know, with special social accounts they can steal. They want more money, eventually. So the moved on to a more robust type of propagation that involves using some more advanced techniques. It's a bit more, I would say, expensive for them to use those kinds of propagations, but at the end they get much more valuable customers for their CAPTCHAs. And what we've saw in the past half a year is their switch from those malvertising to more malicious ways of compromising websites - legit websites with many visitors, with great search engine ratings. So they usually get to those websites from your search results and many new visitors, and they compromise those websites, mostly WordPress websites, we know about. They used to have WordPress in compromising websites, unfortunately. And they use these compromised websites to inject their own scripts into the website, so you visit this website. And a few seconds after you start with their content, a CAPTCHA is popping up on your screen, which is again quite usual to see, and you are used to that, and you also trust the website because you know this website. It's legit, it's well-known, but you don't know it was compromised. So this is where the CAPTCHA's brought to a new level of, first of all, you trust them, a new level of trust.

 

Dave Bittner: Mm hmm.

 

Nati Tal: The better narrative here, because those are real websites, and you can even brand this kind of fake CAPTCHA with the logo of this website and everything, so it looks totally legit. But eventually to actually read their website, you need to solve this CAPTCHA, which means you need to infect your system with the malware in this case.

 

Dave Bittner: Yeah, it strikes me that the brilliance of this from just a social engineering point of view is that, you know, the CAPTCHAs are kind of a known and trusted nuisance.

 

Nati Tal: Mm hmm.

 

Dave Bittner: You know, we hardly notice them when they pop up, and we sort of reflexively click where we need to click, and try to move on. So it seems to me like it really is effective in lowering our defenses, because we're conditioned to complete them.

 

Nati Tal: Exactly, and this is where most of the attackers these days are focusing their efforts, on staff, on flows that are common for us, that are easy to get us distracted with those flows, and CAPTCHA is, unfortunately, a brilliant decision by them, because CAPTCHAs are all around, everywhere, and so easy to replica, to fake them, so this is quite good narrative to use. And by the way, it's even worse than that because I believe, again, it's not a - it's not exactly where it all started, but it kind of took more direction once the genuine white hat security community actually presented this kind of attack to the public.

 

Dave Bittner: [Laughter].

 

Nati Tal: As a deep simulation, okay? And, [laughter], and unfortunately, I love John Hammond.

 

Dave Bittner: [Laughter].

 

Nati Tal: He's a good friend, but for the history, I guess, he will be known as the one that presented this fake CAPTCHA to the world. Although he kind of just enhanced it, because he already saw this kind of attack in the wild, but since then, most of the attacks were, like, followers of his GitHub webhook, and following that, you know, it became CAPTCHAgeddon. [ Music ]

 

Dave Bittner: We'll be right back. [ Music ] Yeah, I have no doubt that John's intentions were in good faith.

 

Nati Tal: Yeah.

 

Dave Bittner: But at the same time, he does take a lot of heat for having set that free on the world.

 

Nati Tal: [Laughter].

 

Dave Bittner: I'm curious how widespread is this campaign? Are there particular regions or industries that seem to be targeted?

 

Nati Tal: It's quite - it varies because it started off, as I said, mostly in malvertising. In this case it's like spray and pray. You take it all around the world, because, you know, the conversion rate, in this case, is not high. So you just spray it all over, and you get whatever you get. But in the last few months, instead of seeing it, you know, with more hits and more scale, you see it in a bit lower scale, but more focused and more in high-quality. Instead of just spray and pray with advertisements or malvertising, in this case, this concept is being used in more targeted - I guess also targeted victims, but more targeted ecosystems.

 

Dave Bittner: Hmm.

 

Nati Tal: Just for an example, you see all those WordPress sites being compromised, so those are one way to do that. Other ways are, I would say, poison social media with links that eventually take you to this CAPTCHA. We even saw some sponsored posts in Facebook about some recipes for cookies, or something like that, but the link there goes to a CAPTCHA. So if you want the receipt, you need to solve the CAPTCHA. And this allows, by the way, the attackers to also use the advanced ad network of Facebook to target specific people. In this case, I don't know, cookie lovers.

 

Dave Bittner: [Laughter].

 

Nati Tal: But you can use it, of course, to any kind of other audience, and more high-valued audience in this case.

 

Dave Bittner: Right.

 

Nati Tal: And we also see this, for example one of the most-targeted audience, I guess, in the past year are users of booking.com. And users, I mean, hotel owners or, you know, apartment owners that use this service to share their hotels. And those are being targeted with targeted phishing attempts to get their credentials to booking.com, and later on use this to target their visitors. So we saw tons and tons of attempts to get those booking.com clients by presenting them some kind of phishing email, but instead of the classic, you know, click here to solve the issue, and you have the phishing login page of booking.com, instead you're going to a site that looks, again, like booking.com, but you get this CAPTCHA instead. So it's even more legit than just trying to log in with your credentials on a fake page. You don't need the credentials. We will just steal everything with the credentials inside. So they're using this more cleverly in the past few months, and less scalable but much more powerful in this case.

 

Dave Bittner: What about evasion and persistence here? I mean, what sorts of tricks are these attackers using to bypass detection?

 

Nati Tal: Well, it started quite simply at the beginning of days. It was a plain HTML page which shell-coded the PowerShell code that it copies to your clipboard in plain sight, and everything is, like, so easy to detect. But quite quickly, when it got more traction, they started to use those known tricks of obfuscating the code a bit, or changing the PowerShell with caps and lower letters and everything like that. Really simple, but it worked at the beginning of times. Today they are much more persistent with what they are doing, because they are actually generating those kinds of scams on the fly, and there are tons of ways to create a malicious PowerShell code, for example. So they are just generating a new one for every hit to the same CAPTCHA page. They are also trying to mitigate detection by security companies, by redirecting two different kinds of pages along the way, and not presenting specifically the code you are looking for, the PowerShell code, in this specific page. And again, all those tricks are eventually easy to understand for security researchers, and to add to their yellow walls or their detection mechanism. But because it's so powerful, they don't give up and always try to be more creative, so it's a race.

 

Dave Bittner: Hmm.

 

Nati Tal: Like almost on every other type of attack, it's a race. It will continue forever, as long as they are able to get value from this kind of attack. And as we can see, it's here for more than almost two years now, I think, from the very first time we saw that. And it's here to stay, so we really need to be more careful.

 

Dave Bittner: What are your recommendations then? I mean, for both users and organizations, what are the best ways for them to protect themselves?

 

Nati Tal: Well, first of all, being familiar with this kind of attack is the most important part of it. Because again, us, as more techie users that are used to CAPTCHAs and know exactly what they are doing, how they are doing that, it would be very, I don't know, strange for us to solve a CAPTCHA by running code on our system. So we won't do that, but people that are not so aware of this type of CAPTCHAs, they just think, oh, it's a new type of puzzle we need to solve, so let's try it. But if they were aware that this type of attack is here, because again, the flow is the same. You need to open a comment line in some way, and paste code into it, so it will be there on all types of fake CAPTCHAs. If you are familiar with it, it's the far most important part of mitigating it. But there are more, I don't know, more enterprise ways to deal with it, of course.

 

Dave Bittner: Hmm.

 

Nati Tal: One of the suggestions we did a few months ago was for organizations, mostly, to just disable PowerShell on their users' computers, because most users today don't use PowerShell, and of course those that are not coding on their computer. So just disable it. It's possible with one registry key just to change it. Organizations can do that with policy, and at least for that, you are safe. For home users, by the way, it's also a possibility, because again, most home users don't use PowerShell. So it's one way to do that, but it's a bit patchy, of course. And again, the most important part of everything here is to get the right security level for you. It's not enough to use the default security layers we have with our browser or our system. We really need something more powerful in between that will know to catch those types of attacks before they hit us. [ Music ]

 

Dave Bittner: Our thanks to Nati Tal from Guardio Labs for joining us. We've been discussing their work on CAPTCHAgeddon, unmasking the viral evolution of the ClickFix browser-based threat. We'll have a link to their research in the show notes. And that's "Research Saturday," brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly-changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes, or send an email to cyberwire@n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliott Peltzman and Tre Hester. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]

Research Saturday
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Saturdays
Creator: N2K Networks, Inc.