McAfee Labs cybersecurity researchers have identified a widespread malware campaign called ClickFix that uses fake CAPTCHA pages to infect users’ PCs with the Lumma Stealer virus. The attack has a global reach, uses social engineering techniques, and primarily targets gamers looking for pirated hacked games and GitHub users.
Image source: Pixabay
Malware is spread in two main ways. In the first scenario, users searching for pirated or hacked games are redirected to fake CAPTCHA pages. The second scenario uses phishing emails that imitate a message from GitHub with information about supposedly identified security problems in the user’s projects. These emails also contain a link to a page with a fake CAPTCHA.
When users interact with these pages, the malicious script is secretly copied to the clipboard of their PC, and the “verification instructions” persuade them to run the script for execution. In doing so, ClickFix uses several clever ways to avoid detection: multiple layers of encryption, the use of a Windows tool called mshta.exe to run hidden code, and AES-encrypted PowerShell commands used to download and install Lumma Stealer.
Image Source: Game Science/McAfee
McAfee’s analysis shows that malware is typically stored in a user’s temporary folder, a location that is often overlooked in security scans. The company has already implemented protective measures, including blocking URLs of known fake CAPTCHA pages and monitoring non-standard use of mshta.exe.
To reduce risks, experts advise against downloading cracked or pirated software and urge users to be wary of unwanted emails, even those that appear to come from trusted sources. Unknown scripts should not be copied and pasted, and security software should be kept up to date.
The spread of malware demonstrates a change in cybercriminal tactics. They exploit standard user behavior and trust in familiar web elements, such as CAPTCHA validation. Constant vigilance and training are critical to maintaining cybersecurity as threats become more sophisticated.