captchafair malware??

JoelYoung

A couple hours ago I suddenly got multiple popups from something called captchafair.top, warning me that I'm infected with 5 viruses, yada yada yada. I close them with the x in the corner but they just come back right away.

I researched a fix, tried a couple things, and it went away. ...until I opened Vivaldi again. So it seems something got into my V, and I have no idea how.
The only websites I go to in V are Facebook, my email, check the weather, YouTube, and the occasional common & benign sites. So this is a complete mystery.

I am sure it's attached to Vivaldi, as it hasn't happened while using both Chrome and Firefox for the past couple hours. Soon as I opened V, though, there it was.

Has anyone else experienced captchafair.top?

EDIT: I should mention that this is only happening in Snapshot.

Zalex108

@JoelYoung

Hi,
Windows?
Try looking at your Task Manager whether any suspicious or any Remote Desktop Connection.

You may check the resources comsumption if not sure what to check.

On V,
Save the Session and restart with a new one.
Go to the Task Manager and see what's there.
Go to vivaldi://serviceworker-internals and Stop any similar or everything.

Check the V Shortcut also, whether is the default or changed.

Do you use any AV Software?
Try to run it.

You would disconnect from Internet if possible in case of heavy infection.

Check at your OS StartUp too.

If Windows
Win+R - MSConfig (will push you to the right place)

@Catweazle or @Pathduck would have the fix already or a bunch of more options xD

Pathduck

@JoelYoung I doubt this is actual malware, most likely just a browser "hijacker" or you've accidentally allowed notifications from some shady site.

Also make sure to check if any unknown sites have been added to sites allowed to send notifications:
chrome://settings/content/notifications

It could also be caused by installing some dodgy extension, so check those as well.

Doing a web search for this comes up with mostly useless advice, either pushing you to install malware scanners or reinstall your browser. Running a scanner like Malwarebytes is usually meaningless against these things, because they are not "malware" in the usual sense.

JoelYoung

@Pathduck said in captchafair malware??:

@JoelYoung

...make sure to check if any unknown sites have been added to sites allowed to send notifications:
chrome://settings/content/notifications

That solved it! Removed permission and the popups disappeared. Thank you!

I'm wondering now if it was from one of the reels on FB. The latest popup showed something similar to what I saw on a reel earlier today. Sneaky ba*tards.

Catweazle

@JoelYoung , AdwCleaner or Panda Cloud Cleaner a good options to eliminate browser hijacker and similar crap.
Anyway I recomend to use generally an extension called Site Bleacher, which eliminate cookies, local storages, IndexedDBs, service workers, cache storages, filesystems and webSQLs from all sites you visit, except from the whitelisted ones. This also avoid that a page can give you some "gifts" like these.
In the Chrome Store avoid extensions which don't have a link to the official page, better if the extension is open source.

alt text

Pathduck

@JoelYoung Glad it helped

What would be really interesting to know is which domain(s) were registered there that might've been sending these notifications.

I don't know how these things work in detail, but it would surprise me if allowing notifications from Facebook, they were able to "fake" their sender address.

My guess is it would be some other domain that managed to get its way in there by some trickery.

My recommendation is to block Notifications outright, and only allow them specifically for domains where you need them. This can be done in Settings > Privacy & Security > Default Permissons

Catweazle

@JoelYoung , if you want full control over incomming and outgoing data use Portmaster (FOSS, paid version include SPN(something like a VPN on steroids)).

alt text

https://www.ghacks.net/2022/11/08/portmaster-1-0-released-open-source-application-firewall/