Threat actors are exploiting users’ familiarity with verification tests to trick them into loading malware onto their systems, new research has warned.
A report from HP Wolf Security highlighted multiple threat campaigns where hackers took advantage of the fact users are forced to jump through a growing number of hoops to prove they are a legitimate user.
The report describes this trend as ‘click tolerance’, where the prevalence of authentication protocols has led to users being accustomed to follow steps given to them.
In the cases observed by HP, the attackers used fake CAPTCHAs to redirect users to attacker-controlled sites which prompted them into completing a number of fake authentication steps.
As users progress through these steps, the website copies malicious code to their clipboard and subsequently prompts the victim to press a number of shortcuts that open a ‘run’ dialog and execute the code directly on their system.
Speaking to ITPro , Ian Pratt, global head of security at HP, said attacks like this are not necessarily new but this campaign stood out as it actually gets the victim to infect themselves, which helps the attackers bypass traditional security products.
“It’s certainly not the first time it’s been done but it’s been done really well and it’s being done at a scale we haven’t seen before,” he noted.
“It’s a really good way of bypassing a lot of security products because effectively the user typed it into the run box. It’s not like they downloaded a script. There was no file that the antivirus could look at and make a decision about. They just hit CTRL + V and it ran.”
What happens after you click
Much like previous social engineering tactics that relied on MFA fatigue to steal user’s one time passcodes (OTPS), this campaign illustrates how additional security protections also breeds new types of complacency attackers can exploit.
Pratt said this campaign relies on the idea that users are used to completing tedious authentication measures and often can’t distinguish between legitimate procedures and malicious ones.
“People are being trained that sometimes a screen is going to appear and then you’re going to have to click through it. Maybe you’ll be logging in, maybe it's just but people do it without thinking now and attackers are exploiting that with these fake CAPTCHAs.”
He argued that this has laid bare an obvious shortcoming in employee security training, noting that it’s important phishing training and other security awareness programs put more emphasis on what users do after they fall for the initial deception in the attack chain.
RELATED WHITEPAPER
“I think that the most important part of phishing training is going forwards… what they should be adding to what they’re doing is that it’s actually what happens after you click that’s most important,” he explained.
“After you clicked on that thing, was it what you expected, was the content correct. Did anything seem off at that point? The most important thing you can do is report it because we’re seeing a lot of effort being put into the lures but not necessarily a lot of effort being put into the thing that you can get taken to, often it will be completely irrelevant content or a command shell flashes up on your screen.
“Anything suspicious like that, that’s the best opportunity of spotting that something’s gone wrong and then to disconnect your laptop from the network and go and call someone. That’s the big one.”
MORE FROM ITPRO
- Malware-free attacks surged in 2024 as attackers drop malicious software for legitimate tools
- Why 'malware as a service' is becoming a serious problem for enterprises
- Hunter-killer malware is on the rise, and security experts are seriously concerned
-
M&S suspends online sales as 'cyber incident' continuesNews Marks & Spencer (M&S) has informed customers that all online and app sales have been suspended as the high street retailer battles a ‘cyber incident’.
-
Manners cost nothing, unless you’re using ChatGPTOpinion Polite users are costing OpenAI millions of dollars each year – but Ps and Qs are a small dent in what ChatGPT could cost the planet
-
Hackers are using Zoom’s remote control feature to infect devices with malwareNews Security experts have issued an alert over a new social engineering campaign using Zoom’s remote control features to take over victim devices.
-
Hackers are duping developers with malware-laden coding challengesNews A North Korean state-sponsored group has been targeting crypto developers through fake coding challenges given as part of the recruitment process.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Seized database helps Europol snare botnet customers in ‘Operation Endgame’ follow-up stingNews Europol has detained several people believed to be involved in a botnet operation as part of a follow-up to a major takedown last year.
-
This potent malware variant can hijack your Windows PC, steal passwords, and more: Neptune RAT is spreading on GitHub, Telegram, and even YouTube – and experts warn 'anyone could use it to launch attacks'News Neptune RAT can hijack Windows PCs and steal passwords – and it's spreading fast
-
Warning issued over ‘fast flux’ techniques used to obscure malicious signals on compromised networksNews Cybersecurity agencies have issued a stark message that too little is being done to sniff out malware hiding in corporate networks
-
Fake file converter tools are on the rise – here’s what you need to knowNews The FBI has issued an alert over the rise of fake file converter tools available online after observing a spate of scams and ransomware attacks.
-
A ‘significant increase’ in infostealer malware attacks left 3.9 billion credentials exposed to cyber criminals last year – and experts worry this is a ticking time bomb for enterprisesNews The threat of infostealer malware is on the rise, with 4.3 million machines infected last year alone
