{"id":201593,"date":"2024-09-20T10:37:34","date_gmt":"2024-09-20T17:37:34","guid":{"rendered":"https:\/\/www.mcafee.com\/blogs\/?p=201593"},"modified":"2024-09-20T11:14:12","modified_gmt":"2024-09-20T18:14:12","slug":"behind-the-captcha-a-clever-gateway-of-malware","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/behind-the-captcha-a-clever-gateway-of-malware\/","title":{"rendered":"Behind the CAPTCHA: A Clever Gateway of Malware"},"content":{"rendered":"

Authored by Yashvi Shah and Aayush Tyagi<\/em><\/p>\n

Executive summary<\/h2>\n

McAfee Labs recently observed an infection chain where fake CAPTCHA pages are being leveraged to distribute malware, specifically Lumma Stealer. We are observing a campaign targeting multiple countries. Below is a map showing the geolocation of devices accessing fake CAPTCHA URLs, highlighting the global distribution of the attack.<\/p>\n

\"\"<\/center><\/p>\n

Figure 1: Prevalence on the field<\/em><\/p>\n

We identified two infection vectors leading users to these fake CAPTCHA pages: one via cracked game download URLs, and the other through phishing emails. GitHub users have been targeted by phishing emails prompting them to address a fictitious “security vulnerability” in a project repository to which they have contributed or subscribed. These emails direct users to visit “github-scanner[.]com” for further information about the alleged security issue.<\/p>\n

The ClickFix infection chain operates by deceiving users into clicking on buttons like “Verify you are a human” or “I am not a robot.” Once clicked, a malicious script is copied to the user’s clipboard. Users are then misled into pasting the script after pressing the Windows key + R, unknowingly executing the malware. This method of trickery facilitates the infection process, making it easy for attackers to deploy malware.<\/p>\n

\"\"<\/center><\/p>\n

Figure 2: Infection chain<\/em><\/p>\n

Attack Vectors and Technical Analysis<\/h2>\n

As illustrated in the diagram, users are redirected to fake CAPTCHA pages through two main attack vectors:<\/p>\n

1.\u00a0\u00a0\u00a0\u00a0 Cracked Gaming Software Download URLs:<\/h3>\n

Users attempting to download pirated or cracked versions of gaming software are redirected to malicious CAPTCHA pages.<\/p>\n

\"\"<\/center><\/p>\n

Figure 3: Search to download the cracked version of the game<\/em><\/p>\n

When users search the Internet for free or cracked versions of popular video games, they may encounter online forums, community posts, or public repositories that redirect them to malicious links.<\/p>\n

\"\"<\/center><\/p>\n

Figure 4: Runkit directing the user to download the game<\/em><\/p>\n

In this instance, a public Runkit notebook hosts the malicious link (highlighted in blue). When the user accesses the URL (highlighted in red), they are redirected to fake CAPTCHA websites.<\/p>\n

\"\"<\/center><\/p>\n

Figure 5: Redirection happening while accessing the link<\/em><\/p>\n

On this page, after the user clicks the \u201cI’m not a robot\u201d button, a malicious PowerShell script is copied to their clipboard, and they are prompted to execute it.<\/p>\n

\"\"<\/center><\/p>\n

Figure 6: Backend script on the click button<\/em><\/p>\n

The website includes JavaScript functionality that copies the script to the clipboard.<\/p>\n

\"\"<\/center><\/p>\n

Figure 7: Decoded script<\/em><\/p>\n

The script is Base64-encoded (highlighted in blue), to reduce the readability to the user. Upon decoding it (highlighted in red), mshta was found to be leveraged. The file hosted at https:\/\/verif.dlvideosfre[.]click\/2ndhsoru contains a Windows binary, having scripts appended as the overlay. Without the overlay appended, the file is a clean Windows binary.<\/p>\n

\"\"<\/center><\/p>\n

Figure 8: Windows binary with appended script<\/em><\/p>\n

The mshta utility searches for the <script> tag within a file and executes the script embedded in it, completely ignoring the binary portion of the file. This allows attackers to embed malicious scripts alongside non-executable content, making it easier for the malware to go undetected while still being executed through mshta.<\/p>\n

\"\"<\/center><\/p>\n

Figure 9: Obfuscated script appended in the downloaded file<\/em><\/p>\n

Upon analysis, the script was found to be an encrypted JavaScript file, utilizing two layers of encryption. This multi-level encryption obscures the script’s true functionality, making detection and analysis more challenging for security tools. Further analysis revealed that the decrypted JavaScript was designed to download Lumma Stealer using AES-encrypted PowerShell command and drop it in the Temp folder. This technique helps the malware avoid detection by placing the payload in a commonly used, less scrutinized directory, facilitating the next stage of the infection.<\/p>\n

\"\"<\/center><\/p>\n

Figure 10: Process tree<\/em><\/p>\n

2.\u00a0\u00a0\u00a0\u00a0 Phishing Emails impersonating the GitHub team<\/h3>\n

In the second vector, users receive phishing emails, often targeting GitHub contributors, urging them to address a fake “security vulnerability.” These emails contain links leading to the same fake CAPTCHA pages.<\/p>\n

\"\"<\/center><\/p>\n

Figure 11: Phishing email impersonating GitHub<\/em><\/p>\n

Once the user clicks on the link, they\u2019re redirected to the fake captcha pages.<\/p>\n

\"\"<\/center><\/p>\n

Figure 12: Fake CAPTCHA page<\/em><\/p>\n

These pages use the same technique: the malicious script is copied to the clipboard when the user clicks the button, and they are then prompted to execute it.<\/p>\n

\"\"<\/center><\/p>\n

Figure 13: Script copied onto clipboard<\/em><\/p>\n

This script retrieves and executes the contents of a text file hosted on an online server.<\/p>\n

\"\"<\/center><\/p>\n

Figure 14: Invoking the remote script<\/em><\/p>\n

The content of the text file contains PowerShell commands that download an executable file or a zip file. These files are saved into the temp folder and then executed. The downloaded files, in these cases, are Lumma Stealer samples.<\/p>\n

Detection and Mitigation Strategies<\/h2>\n

McAfee blocks this infection chain at multiple stages:<\/p>\n

    \n
  1. URL blocking of the fake CAPTCHA pages.<\/li>\n<\/ol>\n

    \"\"<\/center><\/p>\n

    Figure 15: McAfee blocking URLs<\/em><\/p>\n

      \n
    1. Heuristic blocking of malicious use of mshta.<\/li>\n<\/ol>\n

      \"\"<\/center><\/p>\n

      Figure 16: McAfee blocking the malicious behavior<\/em><\/p>\n

      Conclusion and Recommendations<\/h2>\n

      In conclusion, the ClickFix infection chain demonstrates how cybercriminals exploit common user behaviors\u2014such as downloading cracked software and responding to phishing emails\u2014to distribute malware like Lumma Stealer. By leveraging fake CAPTCHA pages, attackers deceive users into executing malicious scripts that bypass detection, ultimately leading to malware installation.<\/p>\n

      The infection chain operates through two main vectors: cracked gaming software download URLs and phishing emails impersonating GitHub. In both cases, users are redirected to malicious CAPTCHA pages where scripts are executed to download and install malware. The use of multi-layered encryption further complicates detection and analysis, making these attacks more sophisticated and harder to prevent.<\/p>\n

      At McAfee Labs, we are committed to helping organizations protect themselves against sophisticated cyber threats, such as the Clickfix social engineering technique. Here are our recommended mitigations and remediations:<\/p>\n

        \n
      1. Conduct regular training sessions to educate users about social engineering tactics and phishing schemes.<\/li>\n
      2. Install and maintain updated antivirus and anti-malware software on all endpoints.<\/li>\n
      3. Implement robust email filtering to block phishing emails and malicious attachments.<\/li>\n
      4. Use network segmentation to limit the spread of malware within the organization.<\/li>\n
      5. Ensure all operating systems, software, and applications are kept up to date with the latest security patches.<\/li>\n
      6. Avoid downloading cracked software or visiting suspicious websites.<\/li>\n
      7. Verify URLs in emails, especially from unknown or unexpected sources.<\/li>\n
      8. Restrict clipboard-based scripts and disable automatic script execution.<\/li>\n
      9. Keep antivirus solutions updated and actively scan.<\/li>\n
      10. Educate users to avoid suspicious CAPTCHA prompts on untrusted sites.<\/li>\n
      11. Regularly patch browsers, operating systems, and applications.<\/li>\n
      12. Monitor the Temp folder for unusual or suspicious files.<\/li>\n<\/ol>\n

        Indicators of Compromise (IoCs)<\/h2>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
        File Type<\/strong><\/td>\nSHA256\/URLs<\/strong><\/td>\n<\/tr>\n
        \u00a0<\/strong><\/p>\n

        \u00a0<\/strong><\/td>\n

        		Fake Captcha Websites<\/strong><\/td>\n<\/tr>\n
        URL<\/strong><\/td>\nOfsetvideofre[.]click\/<\/td>\n<\/tr>\n
        URL<\/strong><\/td>\nNewvideozones[.]click\/veri[.]html<\/td>\n<\/tr>\n
        URL<\/strong><\/td>\nClickthistogo[.]com\/go\/67fe87ca-a2d4-48ae-9352-c5453156df67?var_3=F60A0050-6F56-11EF-AA98-FFC33B7D3D59<\/td>\n<\/tr>\n
        URL<\/strong><\/td>\nDownloadstep[.]com\/go\/08a742f2-0a36-4a00-a979-885700e3028c<\/td>\n<\/tr>\n
        URL<\/strong><\/td>\nBetterdirectit[.]com\/<\/td>\n<\/tr>\n
        URL <\/strong><\/p>\n

        URL<\/strong><\/td>\n

        		Betterdirectit[.]com\/go\/67fe87ca-a2d4-48ae-9352-c5453156df67<\/p>\n

        heroic-genie-2b372e[.]netlify[.]app\/please-verify-z[.]html<\/td>\n<\/tr>\n

        URL<\/strong><\/td>\nDownloadstep[.]com\/go\/79553157-f8b8-440b-ae81-0d81d8fa17c4<\/td>\n<\/tr>\n
        URL<\/strong><\/td>\nDownloadsbeta[.]com\/go\/08a742f2-0a36-4a00-a979-885700e3028c<\/td>\n<\/tr>\n
        URL<\/strong><\/td>\nStreamingsplays[.]com\/go\/6754805d-41c5-46b7-929f-6655b02fce2c<\/td>\n<\/tr>\n
        URL<\/strong><\/td>\nStreamingsplays[.]com\/go\/b11f973d-01d4-4a5b-8af3-139daaa5443f<\/td>\n<\/tr>\n
        URL<\/strong><\/td>\nStreamingszone[.]com\/go\/b3ddd860-89c0-448c-937d-acf02f7a766f?c=AOsl62afSQUAEX4CAEJPFwASAAAAAABQ<\/td>\n<\/tr>\n
        URL<\/strong><\/td>\nStreamingsplays[.]com\/go\/1c406539-b787-4493-a61b-f4ea31ffbd56<\/td>\n<\/tr>\n
        URL<\/strong><\/td>\ngithub-scanner[.]shop\/<\/td>\n<\/tr>\n
        URL<\/strong><\/td>\ngithub-scanner[.]com\/<\/td>\n<\/tr>\n
        URL<\/strong><\/td>\nbotcheck.b-cdn[.]net\/captcha-verify-v7.html<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

         <\/p>\n\n\n\n\n\n\n\n\n
        \u00a0<\/strong><\/td>\nRedirecting Websites<\/strong><\/td>\n<\/tr>\n
        URL<\/strong><\/td>\nRungamepc[.]ru\/?load=Black-Myth-Wukong-crack<\/td>\n<\/tr>\n
        URL<\/strong><\/td>\ngame02-com[.]ru\/?load=Cities-Skylines-2-Crack-Setup<\/td>\n<\/tr>\n
        URL<\/strong><\/td>\nRungamepc[.]ru\/?load=Dragons-Dogma-2-Crack<\/td>\n<\/tr>\n
        URL<\/strong><\/td>\nRungamepc[.]ru\/?load=Dying-Light-2-Crack<\/td>\n<\/tr>\n
        URL<\/strong><\/td>\nRungamepc[.]ru\/?load=Monster-Hunter-Rise-Crack<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

         <\/p>\n\n\n\n\n\n\n\n\n\n
        \u00a0<\/strong><\/td>\nWebsites Containing Malicious URLs<\/strong><\/td>\n<\/tr>\n
        URL<\/strong><\/td>\nRunkit[.]com\/wukong\/black-myth-wukong-crack-pc<\/td>\n<\/tr>\n
        URL<\/strong><\/td>\nRunkit[.]com\/skylinespc\/cities-skylines-ii-crack-pc-full-setup<\/td>\n<\/tr>\n
        URL<\/strong><\/td>\nRunkit[.]com\/masterposte\/dying-light-2-crack-on-pc-denuvo-fix<\/td>\n<\/tr>\n
        URL<\/strong><\/td>\nRunkit[.]com\/dz4583276\/monster-hunter-rise-crack-codex-pc\/1.0.0\/clone<\/td>\n<\/tr>\n
        URL<\/strong><\/td>\nGroups[.]google[.]com\/g\/hogwarts-legacy-crack-empress<\/td>\n<\/tr>\n
        URL<\/strong><\/td>\nBy[.]tribuna[.]com\/extreme\/blogs\/3143511-black-myth-wukong-full-unlock\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

         <\/p>\n\n\n\n\n\n\n\n\n\n\n
        \u00a0<\/strong><\/td>\nMalware Samples <\/strong><\/td>\n<\/tr>\n
        PS<\/strong><\/td>\nb6a016ef240d94f86e20339c0093a8fa377767094276730acd96d878e0e1d624<\/td>\n<\/tr>\n
        PS<\/strong><\/td>\ncc29f33c1450e19b9632ec768ad4c8c6adbf35adaa3e1de5e19b2213d5cc9a54<\/td>\n<\/tr>\n
        ZIP<\/strong><\/td>\n632816db4e3642c8f0950250180dfffe3d37dca7219492f9557faf0ed78ced7c<\/td>\n<\/tr>\n
        ZIP<\/strong><\/td>\n19d04a09e2b691f4fb3c2111d308dcfa2651328dfddef701d86c726dce4a334a<\/td>\n<\/tr>\n
        EXE<\/strong><\/td>\nd737637ee5f121d11a6f3295bf0d51b06218812b5ec04fe9ea484921e905a207<\/td>\n<\/tr>\n
        EXE<\/strong><\/td>\nbbf7154f14d736f0c8491fb9fb44d2f179cdb02d34ab54c04466fa0702ea7d55<\/td>\n<\/tr>\n
        HTA<\/strong><\/td>\nfa58022d69ca123cbc1bef13467d6853b2d55b12563afdbb81fc64b0d8a1d511<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

         <\/p>\n","protected":false},"excerpt":{"rendered":"

        Authored by Yashvi Shah and Aayush Tyagi Executive summary McAfee Labs recently observed an infection chain where fake CAPTCHA pages…<\/p>\n","protected":false},"author":695,"featured_media":201851,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[],"coauthors":[4136],"class_list":["post-201593","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs"],"acf":[],"yoast_head":"\nBehind the CAPTCHA: A Clever Gateway of Malware | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Authored by Yashvi Shah and Aayush Tyagi Executive summary McAfee Labs recently observed an infection chain where fake CAPTCHA pages are being leveraged\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Behind the CAPTCHA: A Clever Gateway of Malware | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Authored by Yashvi Shah and Aayush Tyagi Executive summary McAfee Labs recently observed an infection chain where fake CAPTCHA pages are being leveraged\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/behind-the-captcha-a-clever-gateway-of-malware\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2024-09-20T17:37:34+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-09-20T18:14:12+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/300x200_Blog_032124-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"300\" \/>\n\t<meta property=\"og:image:height\" content=\"200\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/behind-the-captcha-a-clever-gateway-of-malware\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/behind-the-captcha-a-clever-gateway-of-malware\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"Behind the CAPTCHA: A Clever Gateway of Malware\",\"datePublished\":\"2024-09-20T17:37:34+00:00\",\"dateModified\":\"2024-09-20T18:14:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/behind-the-captcha-a-clever-gateway-of-malware\/\"},\"wordCount\":1415,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/behind-the-captcha-a-clever-gateway-of-malware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/300x200_Blog_032124-1.png\",\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/behind-the-captcha-a-clever-gateway-of-malware\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/behind-the-captcha-a-clever-gateway-of-malware\/\",\"name\":\"Behind the CAPTCHA: A Clever Gateway of Malware | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/behind-the-captcha-a-clever-gateway-of-malware\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/behind-the-captcha-a-clever-gateway-of-malware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/300x200_Blog_032124-1.png\",\"datePublished\":\"2024-09-20T17:37:34+00:00\",\"dateModified\":\"2024-09-20T18:14:12+00:00\",\"description\":\"Authored by Yashvi Shah and Aayush Tyagi Executive summary McAfee Labs recently observed an infection chain where fake CAPTCHA pages are being leveraged\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/behind-the-captcha-a-clever-gateway-of-malware\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/behind-the-captcha-a-clever-gateway-of-malware\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/behind-the-captcha-a-clever-gateway-of-malware\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/300x200_Blog_032124-1.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/300x200_Blog_032124-1.png\",\"width\":300,\"height\":200},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/behind-the-captcha-a-clever-gateway-of-malware\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Behind the CAPTCHA: A Clever Gateway of Malware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Behind the CAPTCHA: A Clever Gateway of Malware | McAfee Blog","description":"Authored by Yashvi Shah and Aayush Tyagi Executive summary McAfee Labs recently observed an infection chain where fake CAPTCHA pages are being leveraged","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Behind the CAPTCHA: A Clever Gateway of Malware | McAfee Blog","og_description":"Authored by Yashvi Shah and Aayush Tyagi Executive summary McAfee Labs recently observed an infection chain where fake CAPTCHA pages are being leveraged","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/behind-the-captcha-a-clever-gateway-of-malware\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2024-09-20T17:37:34+00:00","article_modified_time":"2024-09-20T18:14:12+00:00","og_image":[{"width":300,"height":200,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/300x200_Blog_032124-1.png","type":"image\/png"}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/behind-the-captcha-a-clever-gateway-of-malware\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/behind-the-captcha-a-clever-gateway-of-malware\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"Behind the CAPTCHA: A Clever Gateway of Malware","datePublished":"2024-09-20T17:37:34+00:00","dateModified":"2024-09-20T18:14:12+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/behind-the-captcha-a-clever-gateway-of-malware\/"},"wordCount":1415,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/behind-the-captcha-a-clever-gateway-of-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/300x200_Blog_032124-1.png","articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/behind-the-captcha-a-clever-gateway-of-malware\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/behind-the-captcha-a-clever-gateway-of-malware\/","name":"Behind the CAPTCHA: A Clever Gateway of Malware | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/behind-the-captcha-a-clever-gateway-of-malware\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/behind-the-captcha-a-clever-gateway-of-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/300x200_Blog_032124-1.png","datePublished":"2024-09-20T17:37:34+00:00","dateModified":"2024-09-20T18:14:12+00:00","description":"Authored by Yashvi Shah and Aayush Tyagi Executive summary McAfee Labs recently observed an infection chain where fake CAPTCHA pages are being leveraged","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/behind-the-captcha-a-clever-gateway-of-malware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/behind-the-captcha-a-clever-gateway-of-malware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/behind-the-captcha-a-clever-gateway-of-malware\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/300x200_Blog_032124-1.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/300x200_Blog_032124-1.png","width":300,"height":200},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/behind-the-captcha-a-clever-gateway-of-malware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Behind the CAPTCHA: A Clever Gateway of Malware"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/201593","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=201593"}],"version-history":[{"count":3,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/201593\/revisions"}],"predecessor-version":[{"id":201883,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/201593\/revisions\/201883"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/201851"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=201593"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=201593"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=201593"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=201593"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}