There’s a new scam making the rounds, and while it first appeared late last year, it’s now gaining traction on security forums and websites I follow. Attackers have found a way to exploit CAPTCHAs — the very tool designed to keep websites safe from bots — turning them into a method for tricking users into executing malicious actions.
Hold tight - we’re checking permissions before loading more content
Before diving into how this scam works, let’s take a moment to understand what a CAPTCHA is, why websites use them and how attackers are now leveraging them against unsuspecting users.
What is a CAPTCHA and what is it used for?
A CAPTCHA is a simple test websites use to make sure you’re a real person and not a computer program (bot). You’ve likely seen it when a site asks you to click on pictures of traffic lights or type in wavy letters and numbers. It helps prevent spam, fraud and hacking by making sure a human is interacting with the site. Computers struggle with these puzzles, but people can solve them easily. Some CAPTCHAs just require clicking a box that says ‘I’m not a robot’. They protect websites from misuse while letting real users access them without trouble.
How this scam works differently
This scam is different from most because it tricks you into running harmful commands on your own computer. Normally, when you click ‘I'm not a robot’, the website checks if you’re human and lets you continue. But in this scam, clicking the CAPTCHA secretly loads malicious code in the background. Instead of just verifying your identity, it tells you to press Windows + R — a keyboard shortcut that opens a tool called Run, which lets you execute commands on your computer.
Next, the scam instructs you to copy and paste a hidden command using Ctrl + C (copy) and Ctrl + V (paste) into the Run box. If you press ‘OK’, your computer executes the hidden command, unknowingly installing malicious software.
Do not press ‘OK’.
What happens next?
Once the scam successfully runs the command, it can do serious damage to your system. Some common threats include:
• Stealing your saved usernames and passwords from your web browser.
• Installing ransomware, which locks your files and demands money to unlock them.
• Spying on your computer activity, leading to identity theft or financial fraud.
If you ever see a website asking you to press Windows + R, do not follow the instructions — it’s likely a scam!
As always, I hope you found this information helpful. Please share it with your friends and family — the more people who are aware of these scams, the fewer victims there will be.
If you have any questions or have encountered this scam yourself, feel free to reach out at askatech@mmg.com.au. Stay safe online!
