Alex Delamotte@sentinelone.com
//
AkiraBot, an AI-powered botnet, has been identified as the source of a widespread spam campaign targeting over 80,000 websites since September 2024. This sophisticated framework leverages OpenAI's API to generate custom outreach messages tailored to the content of each targeted website, effectively promoting dubious SEO services. Unlike typical spam tools, AkiraBot employs advanced CAPTCHA bypass mechanisms and network detection evasion techniques, posing a significant challenge to website security. It achieves this by rotating attacker-controlled domain names and using AI-generated content, making it difficult for traditional spam filters to identify and block the messages.
AkiraBot operates by targeting contact forms and chat widgets embedded on small to medium-sized business websites. The framework is modular and specifically designed to evade CAPTCHA filters and avoid network detections. To bypass CAPTCHAs, AkiraBot mimics legitimate user behavior, and uses services like Capsolver, FastCaptcha, and NextCaptcha. It also relies on proxy services like SmartProxy, typically used by advertisers, to rotate IP addresses and maintain geographic anonymity, preventing rate-limiting and system-wide blocks. The use of OpenAI's language models, specifically GPT-4o-mini, allows AkiraBot to create unique and personalized spam messages for each targeted site. By scraping site content, the bot generates messages that appear authentic, increasing engagement and evading traditional spam filters. While OpenAI has since revoked the spammers' account, the four months the activity went unnoticed highlight the reactive nature of enforcement and the emerging challenges AI poses to defending websites against spam attacks. This sophisticated approach marks a significant evolution in spam tactics, as the individualized nature of AI-generated content complicates detection and blocking measures. Recommended read:
References :
@www.infosecurity-magazine.com
//
Attackers are exploiting user familiarity with CAPTCHAs to distribute the Lumma Stealer RAT (Remote Access Trojan) via malicious PowerShell commands, according to recent findings. These campaigns involve tricking users into running PowerShell commands that ultimately install the Lumma Stealer. Attackers direct potential victims to attacker-controlled sites and prompt them to complete fake authentication challenges. These challenges often involve directing potential victims to malicious websites where they are prompted to complete verification steps, but instead of a CAPTCHA, it instructs them to press Windows + R and run a PowerShell command—under the false pretense of running “Windows Defender.”
These attacks leverage weaponized CAPTCHAs, with users being directed to malicious websites where they are prompted to complete verification steps. Upon completing these steps, users inadvertently copy and run PowerShell scripts that download and install malware, such as the Lumma Stealer. This allows the attackers to steal sensitive data like cryptocurrency wallets. The exploitation involves fake Cloudflare verification prompts, which lead users to execute malicious PowerShell commands to install the LummaStealer Trojan through infected WordPress sites, posing a significant threat. Recommended read:
References :
Andres Ramos@Arctic Wolf
//
A resurgence of a fake CAPTCHA malware campaign has been observed, with threat actors compromising widely used websites across various industries. They are embedding a fake CAPTCHA challenge that redirects victims to a site triggering PowerShell code execution. This campaign exploits social engineering tactics and fake software downloads to deceive users into executing malicious scripts.
This tactic is also utilized with fake captchas which resemble legitimate sites. When users attempt to pass the captcha, they are prompted to execute code that has been copied to their clipboard. The OBSCURE#BAT malware campaign is a major cybersecurity threat to both individuals and organizations, primarily due to its ability to compromise sensitive data through advanced evasion techniques, including API hooking. This allows the malware to hide files and registry entries, making detection difficult. Recommended read:
References :
@securityonline.info
//
A sophisticated phishing campaign is underway, abusing the Webflow content delivery network (CDN) to steal credit card data and commit financial fraud. Attackers are hosting fake PDF documents on Webflow, embedded with CAPTCHA images and a real Cloudflare Turnstile CAPTCHA, to deceive users and evade detection by static scanners. This scheme targets individuals searching for documents on search engines, redirecting them to malicious PDFs.
These PDF files mimic a CAPTCHA challenge, prompting users to click and complete a genuine Cloudflare CAPTCHA, creating a false sense of security. Upon completion, victims are redirected to a page requesting personal and credit card details to "download" the supposed document. After entering their credit card details, users receive an error message, and repeated submissions lead to an HTTP 500 error page, while the attackers already have their information. Recommended read:
References :
|