CyberSecurity news

FlagThis - #captcha

Alex Delamotte@sentinelone.com //
AkiraBot, an AI-powered botnet, has been identified as the source of a widespread spam campaign targeting over 80,000 websites since September 2024. This sophisticated framework leverages OpenAI's API to generate custom outreach messages tailored to the content of each targeted website, effectively promoting dubious SEO services. Unlike typical spam tools, AkiraBot employs advanced CAPTCHA bypass mechanisms and network detection evasion techniques, posing a significant challenge to website security. It achieves this by rotating attacker-controlled domain names and using AI-generated content, making it difficult for traditional spam filters to identify and block the messages.

AkiraBot operates by targeting contact forms and chat widgets embedded on small to medium-sized business websites. The framework is modular and specifically designed to evade CAPTCHA filters and avoid network detections. To bypass CAPTCHAs, AkiraBot mimics legitimate user behavior, and uses services like Capsolver, FastCaptcha, and NextCaptcha. It also relies on proxy services like SmartProxy, typically used by advertisers, to rotate IP addresses and maintain geographic anonymity, preventing rate-limiting and system-wide blocks.

The use of OpenAI's language models, specifically GPT-4o-mini, allows AkiraBot to create unique and personalized spam messages for each targeted site. By scraping site content, the bot generates messages that appear authentic, increasing engagement and evading traditional spam filters. While OpenAI has since revoked the spammers' account, the four months the activity went unnoticed highlight the reactive nature of enforcement and the emerging challenges AI poses to defending websites against spam attacks. This sophisticated approach marks a significant evolution in spam tactics, as the individualized nature of AI-generated content complicates detection and blocking measures.

Recommended read:
References :
  • cyberinsider.com: AI-Powered AkiraBot Operation Bypasses CAPTCHAs on 80,000 Sites
  • hackread.com: New AkiraBot Abuses OpenAI API to Spam Website Contact Forms
  • www.sentinelone.com: AkiraBot | AI-Powered Bot Bypasses CAPTCHAs, Spams Websites At Scale
  • The Hacker News: Cybersecurity researchers have disclosed details of an artificial intelligence (AI) powered platform called AkiraBot that's used to spam website chats, comment sections, and contact forms to promote dubious search engine optimization (SEO) services such as Akira and ServicewrapGO.
  • Cyber Security News: AkiraBot’s CAPTCHA‑Cracking, Network‑Dodging Spam Barrage Hits 80,000 Websites
  • securityaffairs.com: AkiraBot: AI-Powered spam bot evades CAPTCHA to target 80,000+ websites
  • gbhackers.com: AkiraBot Floods 80,000 Sites After Outsmarting CAPTCHAs and Slipping Past Network Defenses
  • cyberpress.org: AkiraBot’s CAPTCHA‑Cracking, Network‑Dodging Spam Barrage Hits 80,000 Websites
  • gbhackers.com: AkiraBot Floods 80,000 Sites After Outsmarting CAPTCHAs and Slipping Past Network Defenses
  • www.scworld.com: Sweeping SMB site targeting conducted by novel AkiraBot spamming tool
  • 404 Media: Scammers Used OpenAI to Flood the Web with SEO Spam
  • CyberInsider: AI-Powered AkiraBot Operation Bypasses CAPTCHAs on 80,000 Sites
  • hackread.com: New AkiraBot Abuses OpenAI API to Spam Website Contact Forms, 400,000 Impacted
  • bsky.app: Scammers used OpenAI as part of a bot that flooded the web with SEO spam. Also bypassed CAPTCHA https://www.404media.co/scammers-used-openai-to-flood-the-web-with-seo-spam/
  • Security Risk Advisors: SentinelOne's analysis of AkiraBot's capabilities and techniques.
  • www.sentinelone.com: SentinelOne blog post about AkiraBot spamming chats and forms with AI pitches.
  • arstechnica.com: OpenAI’s GPT helps spammers send blast of 80,000 messages that bypassed filters
  • Ars OpenForum: OpenAI’s GPT helps spammers send blast of 80,000 messages that bypassed filters
  • Digital Information World: New AkiraBot Targets Hundreds of Thousands of Websites with OpenAI-Based Spam
  • TechSpot: Sophisticated bot uses OpenAI to bypass filters, flooding over 80,000 websites with spam
  • futurism.com: OpenAI Is Taking Spammers' Money to Pollute the Internet at Unprecedented Scale
  • PCMag Middle East ai: Scammers Use OpenAI API to Flood 80,000 Websites With Spam
  • www.sentinelone.com: Police arrest SmokeLoader malware customers, AkiraBot abuses AI to bypass CAPTCHAs, and Gamaredon delivers GammaSteel via infected drives.
  • securityonline.info: AkiraBot: AI-Powered Spam Bot Floods Websites with Personalized Messages
  • PCMag UK security: Scammers Use OpenAI API to Flood 80,000 Websites With Spam
  • www.pcmag.com: PCMag article about the use of GPT-4o-mini in the AkiraBot spam campaign.
  • Virus Bulletin: SentinelLABS researchers look into AkiraBot, a framework used to spam website chats and contact forms en masse to promote a low-quality SEO service. The bot uses OpenAI to generate custom outreach messages & employs multiple CAPTCHA bypass mechanisms.
  • Daily CyberSecurity: Spammers are constantly adapting their tactics to exploit new digital communication channels.

@www.infosecurity-magazine.com //
References: gbhackers.com , securityonline.info , ...
Attackers are exploiting user familiarity with CAPTCHAs to distribute the Lumma Stealer RAT (Remote Access Trojan) via malicious PowerShell commands, according to recent findings. These campaigns involve tricking users into running PowerShell commands that ultimately install the Lumma Stealer. Attackers direct potential victims to attacker-controlled sites and prompt them to complete fake authentication challenges. These challenges often involve directing potential victims to malicious websites where they are prompted to complete verification steps, but instead of a CAPTCHA, it instructs them to press Windows + R and run a PowerShell command—under the false pretense of running “Windows Defender.”

These attacks leverage weaponized CAPTCHAs, with users being directed to malicious websites where they are prompted to complete verification steps. Upon completing these steps, users inadvertently copy and run PowerShell scripts that download and install malware, such as the Lumma Stealer. This allows the attackers to steal sensitive data like cryptocurrency wallets. The exploitation involves fake Cloudflare verification prompts, which lead users to execute malicious PowerShell commands to install the LummaStealer Trojan through infected WordPress sites, posing a significant threat.

Recommended read:
References :
  • gbhackers.com: Attackers Leverage Weaponized CAPTCHAs to Execute PowerShell and Deploy Malware
  • securityonline.info: Fake Cloudflare Verification Prompts Deliver LummaStealer Trojan Through Infected WordPress Sites
  • www.cisecurity.org: Active Lumma Stealer Campaign Impacting U.S. SLTTs
  • : Attackers Use Fake CAPTCHAs to Deploy Lumma Stealer RAT

Andres Ramos@Arctic Wolf //
A resurgence of a fake CAPTCHA malware campaign has been observed, with threat actors compromising widely used websites across various industries. They are embedding a fake CAPTCHA challenge that redirects victims to a site triggering PowerShell code execution. This campaign exploits social engineering tactics and fake software downloads to deceive users into executing malicious scripts.

This tactic is also utilized with fake captchas which resemble legitimate sites. When users attempt to pass the captcha, they are prompted to execute code that has been copied to their clipboard. The OBSCURE#BAT malware campaign is a major cybersecurity threat to both individuals and organizations, primarily due to its ability to compromise sensitive data through advanced evasion techniques, including API hooking. This allows the malware to hide files and registry entries, making detection difficult.

Recommended read:
References :
  • Arctic Wolf: Widespread Fake CAPTCHA Campaign Delivering Malware
  • hackread.com: New OBSCURE#BAT Malware Targets Users with Fake Captchas
  • Security Risk Advisors: 🚩 Fake CAPTCHA Malware Campaign Resurges With Multi-Stage PowerShell Infostealers
  • SpiderLabs Blog: Resurgence of a Fake Captcha Malware Campaign
  • www.zdnet.com: That weird CAPTCHA could be a malware trap - here's how to protect yourself
  • Seceon Inc: Beware of Fake CAPTCHA Scams: How Cybercriminals Are Hijacking Your Clipboard to Steal Data
  • www.cysecurity.news: Fake CAPTCHA Scams Trick Windows Users into Downloading Malware
  • : Attackers Use Fake CAPTCHAs to Deploy Lumma Stealer RAT
  • Broadcom Software Blogs: In a recent surge of sophisticated cyber threats, attackers are exploiting fake CAPTCHA verifications to hijack users’ clipboards, leading to the installation of information-stealing malware.
  • Security Risk Advisors: ClearFake injects JavaScript to show fake CAPTCHAs on compromised sites, tricking users into running PowerShell for Lumma/Vidar malware.
  • www.cisecurity.org: The CIS CTI team spotted a Lumma Stealer campaign where SLTT victims were redirected to malicious webpages delivering fake CAPTCHA verifications.
  • gbhackers.com: Attackers Leverage Weaponized CAPTCHAs to Execute PowerShell and Deploy Malware
  • Sucuri Blog: Sucuri Blog: Fake Cloudflare Verification Results in LummaStealer Trojan Infections
  • securityonline.info: Fake Cloudflare Verification Prompts Deliver LummaStealer Trojan Through Infected WordPress Sites

@securityonline.info //
A sophisticated phishing campaign is underway, abusing the Webflow content delivery network (CDN) to steal credit card data and commit financial fraud. Attackers are hosting fake PDF documents on Webflow, embedded with CAPTCHA images and a real Cloudflare Turnstile CAPTCHA, to deceive users and evade detection by static scanners. This scheme targets individuals searching for documents on search engines, redirecting them to malicious PDFs.

These PDF files mimic a CAPTCHA challenge, prompting users to click and complete a genuine Cloudflare CAPTCHA, creating a false sense of security. Upon completion, victims are redirected to a page requesting personal and credit card details to "download" the supposed document. After entering their credit card details, users receive an error message, and repeated submissions lead to an HTTP 500 error page, while the attackers already have their information.

Recommended read:
References :
  • Talkback Resources: Hackers Use CAPTCHA Trick on Webflow CDN PDFs to Bypass Security Scanners [social]
  • The Hacker News: The Hacker News article about hackers using CAPTCHA trick on Webflow CDN.
  • securityonline.info: Sophisticated Phishing Campaign Abuses Webflow CDN to Steal Credit Card Data
  • securityonline.info: SecurityOnline.info article about phishing campaign abusing Webflow CDN.