Fake “I’m not a robot” checks are being used to trick Windows users into installing password-stealing malware, and we’ve recently heard reports of this scam on campus.

You’ve probably seen CAPTCHA prompts online – those little boxes or picture puzzles that help websites verify you’re a human. The prompt looks routine, but instead of a normal image puzzle, it claims there’s an “error” and gives you “simple steps” to verify.

Here’s the catch: the fake page tells you to press Windows Key + R, then Ctrl + V, then Enter. That opens the Windows Run box, pastes a hidden command from your clipboard, and runs it, potentially downloading an information-stealer (reported as StealC) that can grab things like saved passwords, browser cookies, and login details for your accounts.

What to do: If a CAPTCHA asks you to use keyboard shortcuts, close the tab – don’t do it! If you already did, disconnect from the internet, run a full malware scan, and change your Drake password using a different trusted device. You may also need to change personal passwords, such as email, banking, social media, and others.

If you need help, contact the ITS Support Center by submitting a ticket through the ITS service portal at service.drake.edu/its, calling 515-271-3001, or bringing your device to the lower level of Carnegie Hall.

— Becky Klein, ITS