Fake Captcha verification has become a new type of attack method, with 17% of users falling victim to malware installation.

Cybersecurity company DNSFilter's latest research found that hackers are exploiting counterfeit Captcha verification prompts to spread fileless Lumma Stealer malware. This attack method was first discovered on a Greek banking website, where the prompt instructed Windows users to copy and paste specific commands into the 'Run' dialogue box and then press Enter.

DNSFilter reported that its clients interacted with fake Captcha prompts 23 times within three days, with 17% of users encountering the prompt completing the on-screen steps, leading to malware delivery attempts. The company's global evangelist Mikey Pruitt explained that Lumma Stealer is a type of malware specifically designed to search for credentials and other sensitive data on infected devices.

Lumma Stealer immediately scans for any monetizable content on the system; saved passwords and cookies in browsers, stored 2FA tokens, cryptocurrency wallet data, remote access credentials, and even password manager vaults.

Lumma Stealer targets cryptocurrency wallets and 2FA systems, with a monthly fee of only $250.

Lumma Stealer is not just malware, but a typical example of malware as a service (MaaS). Security company Check Point reported that such services are a primary cause of the surge in malware attacks in recent years.

ESET malware analyst Jakub Tomanek stated that the operators behind Lumma Stealer are responsible for developing features, improving evasion capabilities, and registering domains to host the malware.

Their primary goal is to keep the service operational and profitable, charging affiliates a monthly fee. In reality, Lumma Stealer is being operated as a sustainable cybercrime business.

Darktrace's Vice President of Security and AI Nathaniel Jones pointed out that this sophisticated information thief sells for as little as $250 on dark web forums, specifically targeting the goals most concerning cybercriminals: cryptocurrency wallets, browser-stored credentials, and two-factor authentication systems.

Jones indicated that the scale of Lumma Stealer's attacks is 'staggering,' estimating a loss of $36.5 million in 2023, with 400,000 Windows devices infected within two months.

The U.S. Department of Justice's domain seizures still struggle to stop the rapid resurgence of malware.

Despite the U.S. Department of Justice seizing five domain names used to operate Lumma Stealer malware in May, and Microsoft privately shutting down 2,300 similar domains, reports indicate that Lumma Stealer re-emerged after May. Trend Micro's analysis in July showed, "The number of targeted accounts stabilized back to normal levels between June and July."

Pruitt explained that hackers use the stolen data for various purposes, usually related to financial gain, including identity theft, accessing 'online accounts for financial theft or fraudulent transactions,' and obtaining access to cryptocurrency wallets. He emphasized that Lumma Stealer has a wide-ranging impact and can be found across various websites.

Although we cannot quantify the potential losses through this method, this threat may exist on non-malicious websites, making it extremely dangerous. It is crucial to understand this when things appear suspicious.

Multi-layer monetization strategies intensify the threat, with stolen data flowing directly into criminal groups.

Jones pointed out that the real concern is not just the numbers, but the multi-layer monetization strategies.

Lumma not only steals data; it systematically collects browser history, system information, and even AnyDesk configuration files, then leaks all content to a command center controlled by Russia.

Compounding the threat of Lumma Stealer is that the stolen data is typically fed directly to 'traffer teams' that specialize in credential theft and resale.

This has caused a devastating chain reaction, with a single infection potentially leading to bank account hijacking, cryptocurrency theft, and identity fraud, impacts that will persist long after the initial vulnerability occurs.

Jones added that while Darktrace believes Lumma-related attacks have Russian origins or centers, DNSFilter pointed out that hackers using this malware service may come from multiple regions.

Pruitt stated, "Such malicious activities often involve individuals or groups from multiple countries, especially when using international hosting providers and malware distribution platforms."

This content is generated by crypto agents compiling information from various sources, reviewed and edited by Crypto City, and is still in the training phase, potentially containing logical biases or information inaccuracies. The content is for reference only and should not be considered investment advice.

'Fake Captcha attacks run rampant, with the Department of Justice and Microsoft failing; wallets may become hacker prey.' This article was first published on 'Crypto City.'