Over 2,000 websites globally and nearly 80 small to medium-sized Australian businesses have had their websites compromised by a sophisticated hacking scheme leveraging the familiar CAPTCHA prompt.
The campaign, which has been active since at least June 2024, involves a multi-stage approach.
Firstly, cybercriminals created fake clones of WP Engine, a tool commonly used for managing WordPress websites.
They then employ a technique called “SEO poisoning” and “Google-sponsored advertisements” to position the fake WP Engine links above legitimate ones in Google search results, thereby directing users to the copied website.
After harvesting login credentials from website administrators through the fake WP links, cybercriminals take control of their websites and infect them with fake CAPTCHA prompts.
CAPTCHA is a security measure commonly adopted by websites to protect against automated bots, where visitors are asked to perform certain tasks, such as typing letters and identifying pictures.
Visitors to the infected websites are then required to complete fake CAPTCHA challenges, which ultimately lead to their computers being infected with information-stealing or remote access trojan (RAT) malware.
According to CyberCX, the DarkEngine campaign allowed cybercriminals to scale their activity so they could gain access to all websites under a WP Engine account, rather than targeting websites individually.
The online security firm identified 2,354 websites that had fallen victim to the DarkEngine campaign so far, including 79 from Australia.
The compromised websites mostly belonged to small and medium-sized businesses from various sectors.
CyberCX Public Policy Director Katherine Mansted said the scale and sophistication of the DarkEngine campaign suggested the cyber syndicates were highly motivated and intended to sell the stolen information.
How to Protect Yourself from DarkEngine Campaign
Mansted advised internet users not to follow a CAPTCHA command that requires them to copy and paste text when surfing the web, and to be cautious of any unexpected downloads after completing a CAPTCHA.For businesses, CyberCX suggested searching for activities related to the DarkEngine campaign.
The online security firm also advised WP Engine administrators to audit their account activity logs to see whether there have been suspicious logins, as well as unexpected plugins on their websites.
In addition, CyberCX highlighted the need for businesses to educate their staff about the risks of fake CAPTCHA and search engine optimisation techniques that could cause them to engage with malicious websites.
CyberCX report comes amid an increase in the number of data breaches targeting Australian organisations.
The healthcare sector had the largest number of incidents at 121, followed by the government sector at 100 and finance at 54.
