Cybercriminals are exploiting a familiar web feature to quietly steal sensitive data from unsuspecting users across Canada. A new scam using fake “I’m not a robot” CAPTCHA checkboxes is tricking people into downloading malware that runs silently in the background, collecting personal information like banking credentials, login details, and other private data.
The attack works by mimicking the common CAPTCHA tool used on websites to verify that users are human. Normally, these verification steps might include identifying objects in photos or typing distorted words. But in this scam, the fake CAPTCHA serves a more sinister purpose.
Victims are typically lured to malicious sites via phishing emails, social media ads, or promises of free games, software, or entertainment. Once on the fraudulent page, users see what appears to be a standard CAPTCHA screen with the usual checkbox. After clicking it, they’re led to another prompt asking them to prove they’re not a robot by pressing a series of keys: Windows Key + R, followed by Ctrl + V, then Enter.
What victims don’t realize is that the site has already copied a harmful command to their computer’s clipboard. Following these steps opens the computer’s Run dialogue, pastes the hidden malware command, and executes it—granting the attackers access to the system. The result is often an “infostealer” malware that can extract files, passwords, screenshots, and other private content without detection.
According to Jérôme Segura, Senior Director for Research at cybersecurity firm Malwarebytes, the growing use of real CAPTCHAs has made this kind of deception especially dangerous. “Users need to know how to spot the fakes,” he warned, noting that a genuine CAPTCHA will never ask for system-level commands or access to your device.
Cybersecurity experts are urging Canadians to stay vigilant. Avoid downloading anything from untrusted sources, scrutinize CAPTCHA requests for unusual steps, and never follow commands like opening the Run box or copying and pasting system text unless you’re absolutely sure it’s safe. Installing browser security extensions, keeping systems updated, and running regular malware scans are also key ways to defend against these stealthy attacks.
With malware threats evolving fast, staying informed may be your best line of defence.