Fake CAPTCHA Scams Rise by 11% Tricking More Users

Today, at its annual Amplify Conference, HP issued the latest HP Threat Insights Report, highlighting the rising use of fake CAPTCHA verification tests that allow threat actors to trick users into infecting themselves. The campaigns demonstrate how attackers are capitalising on people’s increasing familiarity with completing multiple authentication steps online – a trend HP calls ‘click tolerance’.

With analysis of real-world cyberattacks, the HP Threat Insights Report helps organisations keep up with the latest techniques cybercriminals are using to evade detection and breach PCs. Based on data from millions of endpoints running HP Wolf Security¹, notable campaigns identified by HP threat researchers include:

• CAPTCHA Me If You Can: As bots become more effective at bypassing CAPTCHAs, authentication has grown more elaborate – meaning users have become increasingly accustomed to jumping through hoops to prove they are human. HP threat researchers identified multiple campaigns where attackers crafted malicious CAPTCHAs. Users were directed to attacker-controlled sites and prompted to complete a range of fake authentication challenges. Victims were tricked into running a malicious PowerShell command on their PC, which ultimately installed the Lumma Stealer remote access trojan (RAT).

• Attackers Capable of Accessing End-Users’ Webcams and Microphones to Spy on Victims: A second campaign saw attackers spreading an open-source RAT, XenoRAT, with advanced surveillance features such as microphone and webcam capture. Using social engineering techniques to convince users to enable macros in Word and Excel documents, attackers could control devices, exfiltrate data, and log keystrokes – demonstrating that Word and Excel still pose a risk for malware deployment.

• Python Scripts Used for SVG Smuggling: Another notable campaign highlights how attackers are delivering malicious JavaScript code inside Scalable Vector Graphic (SVG) images to evade detection. These images open by default in web browsers and execute the embedded code to deploy seven payloads—including RATs and infostealers—providing redundancy and monetisation opportunities for the attacker. As part of the infection chain, the attackers also used obfuscated Python scripts to install the malware. Python’s popularity – further boosted by growing interest in AI and data science – makes it an increasingly attractive language for attackers to write malware, as its interpreter is widely installed.

Patrick Schläpfer, Principal Threat Researcher at the HP Security Lab, comments:

“A common thread across these campaigns is the use of obfuscation and anti-analysis techniques to slow down investigations. Even simple yet effective defence evasion techniques can delay the detection and response of security operations teams, making it harder to contain an intrusion. By using methods such as direct system calls, attackers make it more difficult for security tools to catch malicious activity, giving them more time to operate undetected – and compromise victims’ endpoints.”

By isolating threats that have evaded detection tools on PCs – while still allowing malware to detonate safely inside secure containers – HP Wolf Security provides specific insight into the latest techniques used by cybercriminals. To date, HP Wolf Security customers have clicked on more than 65 billion email attachments, web pages, and downloaded files with no reported breaches.

The report, which examines data from Q4 2024, details how cybercriminals continue to diversify attack methods to bypass security tools that rely on detection, such as:

• At least 11% of email threats identified by HP Sure Click bypassed one or more email gateway scanners.

• Executables were the most common malware delivery type (43%), followed by archive files (32%).

Dr Ian Pratt, Global Head of Security for Personal Systems at HP Inc., comments:

“Multi-step authentication is now the norm, which is increasing our ‘click tolerance’. The research shows users will take multiple steps along an infection chain, really underscoring the shortcomings of cyber awareness training. Organisations are in an arms race with attackers—one that AI will only accelerate. To combat increasingly unpredictable threats, organisations should focus on shrinking their attack surface by isolating risky actions – such as clicking on things that could harm them. That way, they don’t need to predict the next attack; they’re already protected.”