Fake CAPTCHA on the Swtorista website now fixed

Hey all! Thank you so much for all the messages here, on discord, and via email! Earlier today (at 9:56 AM to be precise?) the Swtorista website caught a little virus – it was showing many users a fake CAPTCHA that would then instruct them to press WIN+R key, and paste a command in to it and run it on their computer, to verify they were human. (Don’t EVER do that! on any website!). I was away at school so thanks for all the notifications when it popped up! I’ve spent the last 4ish hours tracking down the malware, removing it, then breaking the site and restoring it. Really, really appreciate all the kind words and encouraging messages/comments, it really helped me through it. I love making content but hate dealing with this kind of stuff, so glad it is fixed!

What happened?
An automated bot compromised one of the user login accounts to the Swtorista website (not the fashion/discord part of the site). It installed a script that would run some javascript on pages, instructing the user to verify they were human, with something that looked like a Cloudflare icon and checkbox. After checking the fake box, the user would be instructed to press WIN+R, and a script would be auto-copied to their clipboard, then the user would be told to paste the command (or press CTRL+C CTRL+V) to WIN+R and run it to verify they were human. This is a growing epidemic and is called the Clickfix / Fake CAPTCHA scam and has been hitting WordPress sites especially but is seen elsewhere too.

What happens if I fell for the scam?

I’m unsure exactly what happens if the user falls for it fully, but I assume it gives the hacker access to your computer or your browser.

If you did not press WIN+R, and/or did not follow through with running the script, it’s fine, nothing interesting happened to your computer (if all you did was click to verify, its fine, it’s even fine if you pressed WIN+R and didn’t do anything after that).

IF you did press WIN+R and also ran the script that got copy pasted, here are the steps you should take:

• Run a scan with Windows Defender, run a Microsoft Defender Offline Scan
• Run a scan with Malwarebytes and/or ESET online scan. https://www.malwarebytes.com/mwb-download // https://www.eset.com/au/home/online-scanner/
• The program likely rand and deleted itself though, so you may find nothing.
• While scanning, work on changing all your passwords online. Start with your banks, email, etc, the most important ones, and work your way down. If you use chrome you can use this page to go down the list. https://passwords.google.com/ Don’t forget your computer password, and things like steam.
• Do a quick check of your social media account private messages, make sure the scam did not message people on your behalf. If it did, make sure to log out and in with an ew password, and politely message those people back to let them know you were hacked and not to follow any instructions it sent.

What did the scam look like in wordpress / in the admin?

It looked like nothing. Boo! They injected code to my site was actually made with CHATGPT in Russian. The hacker was very polite though, the CHATGPT left lots of good comments in Russian saying exactly what each line of code did (LOL).

I started by trying to turn off and on different plugins, deleting extra users, and themes, changing passwords etc, but that overloaded my website and crashed it hahaha. Basically the scam installed a wordpress plugin via a compromised user account, but the plugin was HIDDEN in the admin so I couldn’t see it and delete it. I found it by carefully checking all my file folders especially the last modified date until I found it. Then I had to delete the folder, but that broke my site, so I had to manually remove the active_sitewide_plugins field and replace it with a:0:{} in wp_sitemeta (multisite) and in wp_options make active_plugins be a:0:{} too – otherwise the site kept looking for a deleted plugin and was crashing due to it, and giving connection errors, making it even harder for me to fix things. Eventually I figured that out, and manually enabled all the plugins again, but I realized one of the plugins kept trying to restart a huge process every time I enabled and disabled it, so for now I’mma just leave it off.

The previous time I have dealt with this, it was not nearly as sneaky, and instead added an extra function to my functions.php file. For future fixes, I’ve deleted all user accounts except me and zahk, and wrote this down so I don’t forget it later. Best of luck if you run into this yourself, the exact method of the scam will change daily – like I said mine was written with chatgpt, which means a new method can be generated just as easily.

PS, if you missed it, the Mounts database and Pets database is now fully up to date again! This is the kind of stuff I’d much rather work on haha!