Cyber criminals are constantly ahead of the curve on many things that most people take for granted in cyberspace. In recent months, a new type of hack has made people question how to protect their identities and enter websites when specific processes, such as CAPTCHA, are now in question.
CAPTCHA, or the Completely Automated Public Turing Test, is designed with bots and computers in mind. The idea is simple: some things bots and AI cannot recognize, such as specific phrases, letters, and words. The words are jumbled up and distorted in the classic CAPCHAS now being phased out. Early bots could not figure out the difference or find the correct letters, while humans, able to discern patterns, could thus reveal who’s a bot and who isn’t. Users often encounter CAPTCHA and reCAPTCHA tests on the Internet. Such tests are one way of managing bot activity, although the approach has its drawbacks. In a twist of irony, this process is also automated by the websites running these programs. (1)
As with anything, these have drawbacks, chief among them user experience. Users of websites with CAPTCHAS say it distracts them from the website's experience and hurts engagement and click-through rates. In addition, it is not set up correctly for visually impaired people who can’t operate a keyboard without assistance. Some do offer hearing-based tests, but many don’t, which compounds the user experience issue. (2)
Like anything, CAPTCHAs can and have been spoofed, and two recent cases show the vulnerability of such a system. In September 2024, OPENAI, the world’s leading AI service, shut down the source key for several malicious actors after they discovered they were using it to spoof CAPTCHAs. The bot program, called the AkiraBot is a bot that uses its software to mimic actual customers through the Shopify app. "AkiraBot has targeted more than 400,000 websites and successfully spammed at least 80,000 websites since September 2024," SentinelOne researchers Alex Delamotte and Jim Walter said in a report shared with The Hacker News. "The bot uses OpenAI to generate custom outreach messages based on the website's purpose." Another notable aspect of the service is that it can get around CAPTCHA barriers to spam websites at scale and evade network-based detections by relying on a proxy service that's typically offered to advertisers. The targeted CAPTCHA services consist of hCAPTCHA, reCAPTCHA, and Cloudflare Turnstile.
More worryingly, hackers have found a way to use this bot detection software to steal your information. The attack chain is deceptively simple. It uses familiar CAPTCHA interfaces to execute scripts, which makes it highly effective because of its seemingly benign nature. The incidents we investigated typically followed the sequence below:
- Malicious Redirect:A web user visits a compromised website and is redirected to another webpage, where they’re presented with a familiar and seemingly harmless CAPTCHA challenge
- JavaScript Clipboard Hijack:Simply by visiting the website, a malicious command is silently copied to the user’s clipboard via JavaScript, without their knowledge.
- Unusual Run Prompt:Instead of clicking how many traffic lights or bridges they see, the user is instructed to open a Run prompt Windows feature for quickly executing commands, opening programs, and accessing files—and paste the pre-copied command, unknowingly running the malicious script.
- Malware Installation:The command leads to the installation of malware, often resulting in credential theft, as login details for systems, applications, and services are harvested and sent to attackers.(4)
These are successful because most people think CAPTCHA is just a click-and-move-on feature. When they get these prompts, they inadvertently enter them without thinking, infecting your computer. The simple reason being why waste time hacking a victim’s computer when they can do it for you.
Most websites use CAPTCHAs to separate their customers from bots masquerading as them. Though not perfect, the system can work if people pay attention. However, like with anything cyber-related, it can be turned around and abused if websites aren’t careful.
