top of page

Cybersecurity Roundup: CAPTCHA Scams, AI-Aided Fraud and Vulnerable Home Office Routers

  • Writer: Roy Urrico
    Roy Urrico
  • 8 hours ago
  • 5 min read

By Roy Urrico


 

Finopotamus aims to highlight white papers, surveys, blogs and reports that provide a glimpse as to what is taking place and/or impacting credit unions and other organizations in the financial services industry.

 

In this cybersecurity roundup we focus on CAPTCHA scams, artificial intelligence (AI) assisted fraud, and Russian cyber actors exploiting vulnerable home office routers.

 

Spotting The New CAPTCHA Scams


An alert about a new scam that uses CAPTCHAs — those security tests designed to protect websites from spam and abuse by distinguishing human users from automated bots — comes from the Identity Theft Resource Center (ITRC), an El Cajon, Calif.-based national nonprofit organization that supports victims of identity theft and fraud.


 Compromised or malicious web pages look like legitimate CAPTCHA security requests so the prompt appears routine and trustworthy. The goal of this CAPTCHA scam is to infect computers with an information-stealing virus called StealC. “Think of StealC like a digital pickpocket,” warned the ITRC alert. “Usually, a security check just asks you to click a button. However, in this new ‘bait-and-switch’ scam, the webpage tells you there’s an error and gives you a few ‘simple’ steps to fix it. A legitimate website will never ask you to run a command or use a keyboard shortcut to prove that you are human.”

 

The ITRC summarized that CAPTCHA scam:

 

  • Identity criminals use realistic, fake CAPTCHA pages to scam Windows users into running malicious commands that download an information stealer.

  • The CAPTCHA scam instructs victims to press the Windows key + R, then Ctrl + V, then ‘enter’ — a sequence that pastes and runs a hidden command from the clipboard. Since the victim “authorized” the command by pressing those keys, StealC might go undetected. “You may not know until you start seeing weird charges on your credit cards or get locked out of your accounts,” said the ITRC.

  • Cybersecurity researchers LevelBlue revealed once StealC enters a computer, it quietly searches for saved passwords and cookies from web browsers, login info for emails (like Outlook), consumer information from web sites such as gaming accounts or crypto wallets, screenshots capturing activity, and computer details.


The alert suggested individuals infected:

  • Close the tab: “If a site asks you to open a ‘run box’ or ‘paste code,’ it’s a CAPTCHA scam. Close the window immediately.” 

  • Go direct: “If you’re worried a site is blocked, don’t follow the links on the screen. Type the address directly into your browser yourself.”

  • Create a passkey: “If you are prompted to create a passkey to log in to your accounts, do it! They are more secure than a password because they don’t require you to remember anything, and they aren’t subject to a data breach.”

  • Use multi-factor authentication (MFA). “Even if a criminal steals your password, MFA acts like a second deadbolt on your door that they can’t unlock.” 


 

An Agentic ‘Identity Crisis’ in Digital Commerce

 

How AI-Driven Commerce Is Reshaping Fraud Risk. What Fraud and Risk Leaders Need to Know, a new survey from San Francisco-based artificial intelligence (AI) fraud prevention company Darwinium, revealed the structural risks agentic commerce introduces into the global digital economy.

 

“AI fraud is no longer an emerging threat. It is the defining operational challenge for digital businesses today, and it is accelerating faster than traditional defenses can keep up. Agentic commerce is growing just as quickly,” said the Darwinium research.

 

The survey, conducted by RedPoint exclusively for Darwinium in February 2026, polled 500 senior professionals – spanning C-suite to hands-on fraud analyst roles – across fintech, e-commerce, gaming and gambling, banking and financial services, and travel and hospitality companies with $30 million or more in annual revenue in the U.S. and UK.


Darwinium Co-Founder and CEO Alisdair Faulkner.
Darwinium Co-Founder and CEO Alisdair Faulkner.

"Our research shows that AI traffic is surging but businesses can't tell the difference between fraudulent and legitimate agentic commerce,” said Darwinium Co-Founder and CEO Alisdair Faulkner. "When they can't identify a bot’s intent, they resort to blunt-force measures that either approve fraudulent transactions or block legitimate transactions – both of which cause millions in lost revenue and damaged relationships. That’s why the focus for 2026 must be on end-to-end visibility into AI traffic and on tracking a user's or bot’s intent across the entire customer journey. If you can't see the full picture, you can't protect your business."

 

The survey found 97% of organizations reporting an increase in AI attacks, but only 36% capable of stopping fraud at any point in the customer journey. Just 52% can explicitly track or label AI-assisted fraud. “The result is a $3 million annual blind spot, with businesses losing nearly as much revenue to static fraud controls that block good customers as they are to the fraudsters themselves.

 

The research captured other trends:

 

  • Sixty-percent of companies report losing more than 25% of their accounts after suffering a fraud event.

  • Businesses report an average of $4.5 million AI-enabled fraud losses annually.

  • Some $3.1 million in revenue reportedly impacted from false positives, accidentally blocking legitimate customers with “blunt-force” fraud tools.

  • Nearly all organizations (89%) expect non-human traffic to increase, but the market is split on how to handle legitimate agentic traffic: 48% allow it by default with monitoring, while 31% proactively block it.

  • The top blocker to adoption is authentication and identity binding (46%), followed by the challenge of distinguishing good from bad automation (40%).

  • Deepfakes are no longer edge cases, they have become commonplace and are infiltrating the entire journey. Ninety-three percent of organizations have encountered deepfake-style attempts in the past 12 months (45.4% say multiple times). The top entry points are: payments/checkout (22%), customer support/call centers (16%), and onboarding/identity verification (15%).

 

Russian Cyber Actors Exploiting Vulnerable Home Office Routers


 

Cyber actors, Russian General Staff Main Intelligence Directorate (GRU), are exploiting vulnerable routers worldwide to intercept and steal sensitive military, government, and critical infrastructure information, according to a public service announcement from the FBI’s Internet Crime Complaint Center (IC3).

 

The Department of Justice and the FBI recently disrupted a GRU network of compromised small-office home-office (SOHO) routers used to facilitate malicious DNS hijacking operations. The network allowed GRU cyber actors to see unencrypted traffic and harvest emails, passwords, and authentication tokens, even from encrypted services like Microsoft Outlook Web Access.

 

While the primary objective of this specific campaign was espionage targeting high-value defense and government data, the methods used—harvesting credentials and intercepting traffic—inherently put company (for organizations that allow remote work) and personal information such as financial and banking credentials at risk.

 

Understanding the DNS hijacking operations:

 

  • Since at least 2024, Russian GRU 85th Main Special Service Center (85th GTsSS) cyber actors — also known as APT28, Fancy Bear, and Forest Blizzard — have collected credentials and exploiting vulnerable routers worldwide, including compromising TP-Link routers using CVE-2023-50224. The GRU actors changed the devices' dynamic host configuration protocol (DHCP) / domain name system (DNS) settings to introduce actor-controlled DNS resolvers. Connected devices, including laptops and phones, inherit these modified settings. The actor-controlled infrastructure resolves and captures lookups for all domain names. The GRU provides fraudulent DNS answers for specific domains and services — including Microsoft Outlook Web Access — enabling adversary-in-the-middle (AitM) attacks against encrypted traffic if users navigate through a certificate error warning. These AitM attacks would allow the actors to see the traffic unencrypted.

  • The GRU has harvested passwords, authentication tokens, and sensitive information including emails and web browsing information normally protected by secure socket layer (SSL) and transport layer security (TLS) encryption. The GRU has indiscriminately compromised a wide pool of U.S. and global victims and then filtered down impacted users, especially targeting information related to military, government, and critical infrastructure.


Tips for Protection:

 

  • The FBI and partners released relevant guidance and technical indicators, including NCSC-UK cybersecurity advisory “APT28 exploit routers to enable DNS hijacking operations” on  April 7, 2026, and CISA's Edge Device Security webpage.

  • The FBI encourage SOHO router users to upgrade end-of-support devices, update to latest firmware versions, change default usernames and passwords, and disable remote management interfaces from the Internet. All users should carefully consider certificate warnings in web browsers and email clients.

  • Organizations that allow remote work should review relevant policies regarding how employees access sensitive data, such as using VPNs and hardened application configurations. Additionally, organizations may consider incentivizing employees to upgrade outdated personal devices involved in remote access.

bottom of page