Recently, we ran several cybersecurity awareness initiatives and phishing simulations. Throughout these projects, we interacted with stakeholders across a wide range of technical backgrounds. A recurring question we encountered was: "What actually happens after someone clicks a malicious link?"—often followed by variations like "What if I click but don’t enter any information?" or "What if I enter fake data?"

To proactively address these questions, we decided to launch this series. Its goal is twofold: to help non-technical readers better understand the risks associated with phishing and what happens after the click, and to offer technical readers a closer look at the methods and processes behind these techniques.

Additionally, this series may serve as a useful resource for both blue teamers and red teamers. Blue teamers can extract potential Indicators of Compromise (IOCs) to enhance detection and response strategies, while red teamers may gain insights into how to replicate certain phishing techniques in a controlled, ethical testing environment.

What is phishing?

Phishing is a deceptive technique used by threat actors to trick victims into giving away sensitive information or performing an action such as logging into a fake page or downloading malware. A phishing email may impersonate the victim’s bank and provide a link which points to a website which is similar (if not identical) to the bank’s website. Typically, such emails exploit cognitive biases such as the action bias, authority bias, salience bias, or social proof. Influenced by these psychological factors, victims are likely to provide sensitive information or do actions which may be harmful. Traditional phishing is done over email, however, several terms were created to define different types of phishing such as:

●       Smishing - Phishing via text messages (SMS)

●       Vishing - Phishing via phone calls (voice)

●       Spear phishing - Phishing targeted towards certain individuals or organizations

●       Whaling - Phishing targeted towards high-level executives or decision makers

●       QRishing - Phishing via QR codes

For the purposes of this series, we will only use the original term - phishing.

Overestimated or Dramatic Stereotypes

We will start off by reviewing some stereotypes about what happens when someone clicks a phishing link. In an attempt to raise awareness about cybersecurity, mass-media has also spread some misconceptions about phishing, typically exaggerating the potential impact. Here are some common examples.

“As soon as I click, they take over my system”

This is something we’ve heard a lot. While being paranoid about all online activities is probably not the best approach, we would agree that it is better to be safe than sorry. But is it really possible for attackers to take over your system only based on you clicking a malicious link? Well, it depends. Vulnerabilities have been reported in the past in browsers whereby attackers were able to gain remote code execution in the browser sandbox. However, in order to get remote code execution in the context of the victim’s system, such vulnerabilities must be chained with a sandbox escape vulnerability. Luckily, researchers who report such vulnerabilities within bug bounty programs tend to be rewarded with tens of thousands of dollars (see this Chromium report), so people feel motivated to disclose these bugs responsibly instead of exploiting them for cybercrime. The bottom line is that if you keep your browser and operating system updated, it is unlikely that your system will be fully compromised by only clicking a link. Nevertheless, if in doubt, you should still avoid clicking.

“My camera and mic will turn on and they’ll spy on me.”

While modern browsers can interact with the microphone and the camera of the device, they require explicit consent from the users. We will actually address this in one of our follow-up articles. So, only clicking the link will not allow threat actors to use your webcam and microphone to spy on you, but they could use some social-engineering to persuade you to provide your consent for the browser to use the recording devices.

“They’ll instantly empty my bank account.”

Attackers don’t usually get direct access to the victim’s bank account. Instead, they tend to use social engineering to obtain the victim’s credentials. Alternatively, if your bank is vulnerable to Cross-Site Request Forgery, attackers may be able to use it to perform unintended actions from your account. Occam's razor is a philosophical principle that suggests that when faced with competing explanations for the same phenomenon, the simplest explanation is usually the correct one. So in the context of this attack, one may argue that gaining access to a bank account through credential phishing is more likely than gaining access to a bank account through complex technical exploits.

Underestimated or Naïve Stereotypes

There is also the opposite side of the spectrum, where people navigate the internet carelessly, either due to ignorance or due to misconceptions about the potential impact of attacks. Here are some of these stereotypes.

“Nothing can happen if I don’t enter any data.”

This is the misconception we hear the most after our phishing engagements. We present the number of users who clicked the link and the number of users who entered their data, and we almost always get a comment about how the first metric is not relevant. We tend to disagree. Firstly, just clicking a phishing link gives the threat actor information about you such as the IP address (which may be used for geolocation), the type of device, browser and operating system, and knowledge as to whether the email address to which the link was sent is being monitored or not. Secondly, while unlikely, it is possible that threat actors could exploit zero-day vulnerabilities in browsers to get remote code execution on your system. Moreover, there is the possibility of drive-by downloads - downloads triggered by simply visiting a site. While these do not typically also lead to the execution of the payload, they can deliver malware and could be coupled with social engineering to also lead to remote code execution.

“Only non-tech-savvy people fall for phishing.”

This one is quite common as well. It is easy to believe that technical people are immune to phishing, but this is not the case. Awareness training significantly reduces the chance that people fall victim to phishing attacks, however, phishing campaigns are increasingly sophisticated and everyone, regardless of technical level, can be a target (especially in high-pressure or well-timed attacks like spear phishing).

Fake CAPTCHA

Completely Automated Public Turing Test to tell Computers and Humans Apart (CAPTCHA) is a type of challenge–response turing test used in computing to determine whether the user is human in order to deter bot attacks and spam. A typical example would be typing some text based on an image, or selecting the sections of an image which contain specific objects.

However, with the rapid development of AI, traditional CAPTCHA is becoming less effective. As you can see, ChatGPT can be pretty good at solving CAPTCHA. Thus, CAPTCHAs are becoming increasingly complex.

Threat actors figured out a clever way to use the increasing complexity of CAPTCHAs. To verify that they are human, the victims had to click “I’m not a robot” and follow the instructions on the screen. The first step of the verification process involved pressing Windows + R, starting the Run menu. Then, they must click CTRL+V (paste) and enter. This would paste malicious code from the user’s clipboard into the Run menu and execute it. However, how do the threat actors write data into the victim’s clipboard?

Clipboard Access

In an initial attempt to create a Proof-of-Concept, we asked ChatGPT for help. We asked ChatGPT (politely, of course) to generate HTML code which copies “Hello world” to the user’s clipboard. ChatGPT generated the following code snippet for us:

This worked, but there was a significant issue - before writing to the user’s clipboard, the user must provide their explicit consent.

This led us to reading the documentation of the Clipboard API (Clipboard API - Web APIs | MDN). In the documentation we came across the concept of transient user activation (Features gated by user activation - Security on the web | MDN). This term highlights features which are activated by user interaction. So, for Chromium browsers, “Writing requires either the clipboard-write permission or transient activation. If the permission is granted, it persists, and further transient activation is not required.”. In other words, the Clipboard API can interact with the clipboard without specific clipboard-write permissions, but instead by getting the user to interact with the page.

Even worse, in Firefox and Safari, “Reading and writing require transient activation”, so simply clicking a button on the page can give the page access to the contents of the clipboard, without any specific consent.

With this in mind, we thought of a funny scenario where one could create a button on the page saying “Do not allow access to the clipboard” which when clicked would inherently give access to the clipboard. We will let you develop a PoC for this scenario in your own time.

Fake CAPTCHA PoC

Going back to the initial Fake CAPTCHA scenario developed to deliver Lumma Stealer, here is what we came up with:

This actually works. It displays a Fake CAPTCHA page. When the user clicks “I’m not a robot”, “Hello from HiveHack” is written to their clipboard.

Then, the Verification Steps appear on the screen, coercing the victim to run the contents of the clipboard.

Mitigations

Firstly, browsers should use explicit clipboard-write or clipboard-read permissions instead of only transient activation rights. This would not completely mitigate the issue, because attackers would simply add a step in the “verification process” saying that you must allow clipboard access. But still, it feels weird that attackers could control your clipboard without your prior consent.

Secondly, organizations must block access to the Command Prompt, PowerShell, Run and other similar utilities unless explicitly required by the users. This is not to say that attackers will not find other creative bypasses, but at least, this specific attack will be blocked.

Thirdly, many of these Fake CAPTCHA domains used the .shop top-level domain. Unless specifically necessary, blocking all .shop websites may prevent some of these attacks.

Conclusion

In this article, we explored the impact of phishing beyond entering credentials in malicious websites impersonating legitimate ones. We looked at an attack vector seen in the wild whereby Lumma Stealer spread through fake CAPTCHA pages. If you are not yet convinced of the impact of phishing attacks, stay tuned for our next article in this series where we will explore drive-by downloads. Stay safe!