Blogs | Cyber Safety

Don't turn your CAPTCHA into a GOTCHA that installs malware on your computer

A CAPTCHA is a simple puzzle (such as "select all images with stairs") on a website that verifies whether you are a human and not a robot. This robot check is intended to prevent website abuse. Increasingly, fake CAPTCHAs are appearing, designed to install malware on your device. Criminals use these fake CAPTCHAs to trick you into performing actions that install malicious software. This can lead to data theft and misuse of your IT account.

A screenshot of a cellphone

AI-generated content may be incorrect.

How do you recognise a fake CAPTCHA?

Criminals create pop-ups that appear to be regular CAPTCHA. However, once you check the box, additional steps follow that have nothing to do with actual verification. An example of a suspicious command is:

"Press Windows key + R to complete verification."
"Copy the code from the previous page with CTRL+C and paste it into the window with CTRL+V."
"Press Enter to complete the robot check."

Such a screen might look something like this:

A screen shot of a computer

AI-generated content may be incorrect.

These commands execute a command in the background that installs malicious malware. You'll then be hacked immediately.

What are the risks?

This type of malware often remains invisible, but it performs various tasks in the background. It can, among other things:

Read your saved passwords and browser data.
Steal session tokens (which can be used to bypass 2FA).
Give access to all your accounts, email, and files.
Compromise confidential research and student data.

The impact of a single infected device can be significant. Consider past attacks at other universities.

What can you do?

Don't click blindly: never execute Windows commands or cut and paste actions if a website asks for them.
A legitimate CAPTCHA will never ask for key combinations like Windows+R, CTRL+C, or CTRL+V.
Don't download files from websites you don't fully trust.

If you encounter these types of issues, please don't hesitate to contact the security team at CERT-UT. This team is also helpful when in doubt. Together, we keep the university safe.

CERT-UT

CERT-UT is the university's Computer Emergency Response Team.

1313

cert@utwente.nl

With thanks to the University Utrecht.