Tuesday, December 17, 2024
HomeCyber Security NewsBeware of Malicious Ads on Captcha Pages that Deliver Password Stealers

Beware of Malicious Ads on Captcha Pages that Deliver Password Stealers

Published on

SIEM as a Service

Malicious actors have taken cybercrime to new heights by exploiting captcha verification pages, a typically harmless security feature, to launch large-scale malware distribution campaigns.

This startling revelation uncovers how these fake captchas, interlaced with malicious advertising, are infecting users with password-stealing malware.

Over the past several weeks, cybercriminals have been leveraging fake captcha pages to trick users into executing harmful PowerShell commands.

- Advertisement - SIEM as a Service

These fake captchas appear as pop-ups on certain websites, replicating the look and feel of legitimate human verification processes.

2024 MITRE ATT&CK Evaluation Results Released for SMEs & MSPs -> Download Free Guide

When users follow the instructions to “prove they’re human,” they inadvertently execute a PowerShell command that installs malware on their systems.

A visitor activating an ad-placement process and the ad network selecting the target creative (good or bad)
A visitor activating an ad-placement process and the ad network selecting the target creative (good or bad)

This malicious software is designed to steal passwords, financial information, private files, and social media credentials.

The success of this campaign lies in its simplicity and ability to evade user suspicion. The malware execution is hidden within what seems to be a routine process, leaving most victims unaware they’ve been compromised.

The Role of Malvertising in the Attack

The distribution of these malicious captchas is facilitated by malvertising or malicious advertising. Cybercriminals purchase ad space on legitimate websites through ad networks, inserting scripts that redirect users to fake captcha pages.

Example of a full fake captcha malvertising attack flow including all services in use
Example of a full fake captcha malvertising attack flow including all services in use

These ads are sophisticated, using advanced cloaking techniques to bypass moderation checks. Once the ad is served, it collects information about the user’s device and browser, determining the best way to deliver the malicious payload.

The system relies on a Traffic Distribution System (TDS), which analyzes the user’s profile and redirects them to the fake captcha page.

This seamless redirection process, often undetectable by end users, ensures the malware campaign operates at scale without raising red flags.

Monetag and the Ecosystem of Malicious Ads

A notable player in this campaign is Monetag, an ad network accused of enabling malicious advertising.

A real example of powerful SEO - First Google Search results pointing to a Monetag-enabled site
A real example of powerful SEO – First Google Search results pointing to a Monetag-enabled site

Unfortunately, malicious actors have exploited these tools to serve fake captcha pages. By leveraging ad tracking services like BeMob to disguise their intent, attackers bypass Monetag’s content moderation, making it challenging to detect and remove harmful ads.

Monetag’s TDS domains direct link to Android/Desktop adware as well as Propeller-Ads infra
Monetag’s TDS domains direct link to Android/Desktop adware as well as Propeller-Ads infra

The attackers frequently update their malware scripts and captcha designs to evade detection, ensuring the campaign remains effective.

Reports indicate that these campaigns generate over one million ad impressions per day, affecting thousands of legitimate websites.

This campaign primarily targets users visiting websites offering free or pirated content, such as streaming platforms and download hubs. These sites, known for aggressive advertising practices, become unwitting participants in the attack.

In some cases, compromised websites or cloned templates are used to spread these fake captcha scripts further, increasing the scale of the infection.

Malware dropping
Malware dropping

According to the Labs Guard in Medium, Sophisticated search engine optimization (SEO) tactics ensure these malicious websites rank highly on search engines, attracting a steady stream of unsuspecting visitors.

Once on the site, users are funneled into the fake captcha attack flow through intrusive ad placements.

To safeguard against these threats, users must adopt proactive security practices. Avoid clicking on pop-ups or captcha prompts that seem suspicious or lead to unexpected actions.

Using reputable ad blockers can minimize exposure to malvertising while keeping your operating system and antivirus software updated can help detect and prevent malware execution.

Finally, stay vigilant when browsing high-risk websites, especially those offering free or pirated content.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Texas Tech Systems Breach, Hackers Accessed System Folders & Files

The Texas Tech University Health Sciences Center (TTUHSC) and Texas Tech University Health Sciences...

Hitachi Authentication Bypass Vulnerability Allows Attackers to Hack the System Remotely

Critical Authentication Bypass Vulnerability Identified in Hitachi Infrastructure Analytics Advisor and Ops Center Analyzer.A...

ConnectOnCall Data Breach, 900,000 Customers Data Exposed

 The healthcare communication platform ConnectOnCall, operated by ConnectOnCall.com, LLC, has confirmed a significant data...

Kali Linux 2024.4 Released – What’s New!

Kali Linux has unveiled its final release for 2024, version Kali Linux 2024.4, packed...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Texas Tech Systems Breach, Hackers Accessed System Folders & Files

The Texas Tech University Health Sciences Center (TTUHSC) and Texas Tech University Health Sciences...

Hitachi Authentication Bypass Vulnerability Allows Attackers to Hack the System Remotely

Critical Authentication Bypass Vulnerability Identified in Hitachi Infrastructure Analytics Advisor and Ops Center Analyzer.A...

ConnectOnCall Data Breach, 900,000 Customers Data Exposed

 The healthcare communication platform ConnectOnCall, operated by ConnectOnCall.com, LLC, has confirmed a significant data...