HP Wolf Security research finds multiple campaigns where attackers take advantage of rising ‘click tolerance’ with multi-step infection chains.
At its annual Amplify Conference, HP Inc. issued the latest HP Threat Insights Report, highlighting rising usage of fake CAPTCHA verification tests which allow threat actors to trick users into infecting themselves.
The campaigns show attackers are capitalizing on people’s increasing familiarity with completing multiple authentication steps online, a trend HP calls ‘click tolerance’.
With analysis of real-world cyberattacks, the HP Threat Insights Report helps organisations to keep up with the latest techniques cybercriminals are using to evade detection and breach PCs. Based on data from millions of endpoints running HP Wolf Security, notable campaigns identified by HP threat researchers include:
- CAPTCHA Me If You Can: As bots get better at bypassing CAPTCHAs, authentication has grown more elaborate – meaning users have become more accustomed to jumping through hoops to prove they are human. HP threat researchers identified multiple campaigns where attackers crafted malicious CAPTCHAs. Users were directed to attacker-controlled sites, and prompted to complete a range of fake authentication challenges. Victims were tricked into running a malicious PowerShell command on their PC that ultimately installed the Lumma Stealer remote access trojan (RAT).
- Attackers Capable of Accessing End-Users’ Webcams and Microphones to Spy on Victims: A second campaign saw attackers spreading an open source RAT, XenoRAT, with advanced surveillance features such as microphone and webcam capture. Using social engineering techniques to convince users to enable macros in Word and Excel documents, attackers could control devices, exfiltrate data, and log keystrokes – showing Word and Excel still present a risk for malware deployment.
- Python Scripts Used for SVG Smuggling: Another notable campaign shows how attackers are delivering malicious JavaScript code inside Scalable Vector Graphic (SVG) images to evade detection. These images are opened by default in web browsers and execute the embedded code to deploy seven payloads—including RATs and infostealers—offering redundancy and monetisation opportunities for the attacker. As part of the infection chain, the attackers also used obfuscated Python scripts to install the malware. Python’s popularity – which is being further boosted by rising interest in AI and data science – means it is an increasingly attractive language for attackers to write malware, as its interpreter is widely installed.
Patrick Schläpfer, Principal Threat Researcher in the HP Security Lab, commented: “A common thread across these campaigns is the use of obfuscation and anti-analysis techniques to slow down investigations. Even simple but effective defence evasion techniques can delay the detection and response of security operations teams, making it harder to contain an intrusion. By using methods like direct system calls, attackers make it tougher for security tools to catch malicious activity, giving them more time to operate undetected – and compromise victims endpoints.”
By isolating threats that have evaded detection tools on PCs, but still allowing malware to detonate safely inside secure containers, HP Wolf Security has specific insight into the latest techniques used by cybercriminals. To date, HP Wolf Security customers have clicked on more than 65 billion email attachments, web pages, and downloaded files with no reported breaches.
The report, which examines data from calendar Q4 2024, details how cybercriminals continue to diversify attack methods to bypass security tools that rely on detection, such as:
- At least 11% of email threats identified by?HP Sure Click bypassed one or more email gateway scanners.
- Executables were the most popular malware delivery type (43%), followed by archive files (32%).
Dr. Ian Pratt, Global Head of Security for Personal Systems at HP Inc., commented: “Multi-step authentication is now the norm, which is increasing our ‘click tolerance.’ The research shows users will take multiple steps along an infection chain, really underscoring the shortcomings of cyber awareness training. Organisations are in an arms race with attackers—one that AI will only accelerate. To combat increasingly unpredictable threats, organisations should focus on shrinking their attack surface by isolating risky actions – such as clicking on things that could harm them. That way, they don’t need to predict the next attack; they’re already protected.”
