If you’ve spent oh, let’s say about 20 minutes online in your lifetime, you’ve probably run into one of those “verify you are human” or “I am not a robot” things. Most of the time, it’s a simple enough operation to prove you’re a person and move on with your day. Annoying for people with disabilities if not implemented well, but nowadays not something that’s going to make the difference between being able to use a service and being shut out nearly as often as it used to. I almost, dare I say, take it for granted now.
So of course, it’s time to start thinking about CAPTCHAs again, because the scammers have gotten involved. How it took this long for that to happen I have no idea, but here we are.
Fortunately, it’s pretty easy to not get caught up in this if you know what you’re doing. but if you’re like me, you’ve got a lot of people to warn all of a sudden.
It starts when you land on a website and get a “verify you are human” or other captcha prompt. It’s what comes next that identifies the scam.
A message pops up saying the captcha system failed and you need to run some commands to resolve the problem. First, you may be asked to click a “Fix It” or “How to Fix” button (where the scam’s alternate name “ClickFix” comes from). Unfortunately, this copies malware code onto your clipboard, but it doesn’t install it. It’s what victims unknowingly do next that installs the malware.
Victims who click the “Fix” button then get instructions to key in a series of commands, and it’s this step that installs the malware.
On Windows, victims may be asked to key in commands like this:
•
Win + R (which opens up the Windows Run box)
•
Ctrl + V (which pastes the malware code into the Run box)
•
Enter (which starts running the malware)
On a Mac device, they may be asked to key in:
•
Command + Space (which opens Spotlight)
•
Type “Terminal”
•
Press Enter (opening up Terminal, an interface in which code can be entered into the system)
•
Command + V (which pastes the malware code into the Terminal)
•
Return (which starts running the malware)
A legitimate CAPTCHA system will never ask you to do any of that. It’ll just fail with little to no explanation and make you solve the puzzle again and again until you finally get it right. If you’re on a site with a CAPTCHA that asks you to type a bunch of things into windows, ignore those instructions and get away from there immediately. If it’s a site you recognize, by all means report what happened, because they’ve now got a problem on their hands. But chances are (for now at least), if you’re seeing something like this, you’re not somewhere you really want to be. Be careful out there.