ANY.RUN Discovers Tricky Phishing Attack Using Fake CAPTCHA – Latest Hacking News

Phishing campaigns are constantly evolving, using new tactics to trick users. ANY.RUN, a malware analysis service, recently discovered a phishing attack that uses fake CAPTCHA prompts to run malicious scripts on victims’ systems.

In this phishing scheme, users are directed to a compromised website and asked to complete a CAPTCHA to verify their identity or fix display errors that don’t actually exist.

Once users comply, the attackers exploit their trust by instructing them to run a malicious script using the Windows “Run” function (WIN+R). Specifically, users are tricked into running a PowerShell script, leading to system infection and potential compromise.

Stages of the attack

This phishing technique not only takes advantage of common web security practices like CAPTCHA verification but also uses fake error messages to create a sense of urgency, increasing the likelihood of user compliance.

Fake messages displayed to users

ANY.RUN’s TI Lookup tool enables users to search for suspicious domains and investigate similar threats in depth.

Search by the domain name “*.verif*b-cdn.net” in ANY.RUN TI Lookup

For example, searching for domainName:”*.verif*b-cdn.net” or domainName:”*.human*b-cdn.net” in the TI Lookup tool reveals various associated domains, IP addresses, and sandbox sessions linked to phishing activities.

Search by the domain name “*.human*b-cdn.net” in ANY.RUN TI Lookup

These searches provide valuable insights into how these domains are used to carry out attacks, giving a clear view of the infrastructure behind the phishing campaign.

By using ANY.RUN’s TI Lookup and sandbox in tandem, you can gain a comprehensive understanding of phishing campaigns and monitor them in real-time.

Sign up for a 14-day free trial to discover how ANY.RUN can support your threat investigations.