Beware: Scammers using fake CAPTCHA to steal data

Scammers have found a new way to dupe people of their money and steal personal data by using fake Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) systems. CAPTCHA is a security feature designed to distinguish between human users and automated bots when visiting websites.

In this scam, fraudsters create a fake CAPTCHA that closely resembles the real one, tricking victims into thinking they are verifying their identity. However, the instructions in the fake CAPTCHA prompt victims to execute harmful actions, such as triggering the Windows ‘Run’ dialog box. When users unknowingly paste and execute a crafted PowerShell command, it installs the Lumma info-stealer malware on their system.

The malware targets sensitive data, including social media accounts, banking credentials, saved passwords and personal files, ultimately leading to financial loss and identity theft.

Deputy Inspector General (DIG) of the State CID Cyber Crime Mohit Chawla has issued a warning, urging people to exercise caution when interacting with CAPTCHA prompts and to avoid clicking on unfamiliar websites or links. He also emphasised the importance of using strong, alphanumeric passwords and regularly updating them to protect accounts, devices and networks from unauthorised access and potential harm.

Chawla further advised the public not to share passwords with anyone and to avoid easily guessable ones. He encouraged individuals to report any cybercrime incidents immediately to the cyber cell by dialing the toll-free helpline number 1930.

Currently, approximately 350 cases of cybercrime are being reported daily across the state, with a majority of the incidents involving digital fraud.