Fake CAPTCHA Pages Are Stealing From Mexican Bank Customers
Elastic Security Labs is tracking a fraud campaign, dubbed REF6045, that tricks people into pasting a malicious command from a bogus 'prove you're human' page.

Key points
- Elastic Security Labs is tracking a new fraud campaign, called REF6045, aimed at customers of Mexican banks, fintech apps, payment processors and cryptocurrency exchanges.
- Victims are lured to fake CAPTCHA pages, the little puzzles websites use to check you are a real person, and told to run a command that quietly installs malware.
- The malware is a PowerShell toolkit named SCMBANKER, built to steal banking credentials and drain accounts.
- The technique is known as ClickFix, a social engineering trick where the victim does the hackers' work by pasting the command themselves.
There is a new banking scam running in Mexico, and it starts with something that looks completely ordinary: a CAPTCHA.
You know the drill. A website asks you to tick a box or copy a short code to prove you are not a robot. In this campaign, that check is a fake, and following its instructions hands your computer to criminals.
Elastic Security Labs, the research arm of the search company Elastic, is tracking the operation under the codename REF6045. First reported by The Hacker News, the campaign is going after customers of Mexican banks, fintech services (financial apps that work like a bank on your phone), payment processors and cryptocurrency exchanges.
How does the scam actually work?
The hackers push victims to a fake verification page that pretends to be a normal anti-bot check. Instead of clicking a box, the page tells the visitor to open the Windows Run box and paste in a short command it has already copied to their clipboard.
That command is the trap.
Once pasted and run, it downloads and installs a PowerShell toolkit that Elastic calls SCMBANKER. PowerShell is a scripting tool built into Windows, and it is a favourite of attackers because it is already trusted by the operating system.
The malware then focuses on what the criminals actually want: your money. It targets login details for Mexican banks and crypto exchanges, and it can hang around quietly on the machine, waiting for the next time you log in.
Why 'ClickFix' matters
Security researchers have a name for this style of attack: ClickFix. The idea is simple and, frankly, clever. Instead of exploiting a software bug, the hackers exploit the person at the keyboard.
You are told there is a small problem, a captcha to solve, a document that will not open, an update that needs a nudge, and helpfully given the 'fix' to paste in. You paste. You infect yourself. No fancy zero-day required.
It is the modern cousin of the old email attachment trick, dressed up for 2025.
Should ordinary customers be worried?
If you bank in Mexico, yes, you should pay attention, but you do not need to panic. There is one rule that defeats this entire class of attack, and it is easy to remember.
No legitimate website will ever ask you to open the Windows Run box, PowerShell, or a Terminal window and paste in a command to prove you are human. None. Not your bank, not a video site, not a delivery tracker.
If a page tells you to do that, close the tab. If you already ran the command, disconnect the computer from the internet, call your bank from the number on the back of your card, and get the machine checked by someone you trust.
Watch your accounts for small test transactions in the days after. Criminals often try a tiny charge first to see if the card is live before draining it.
The bigger picture
SCMBANKER is not a technical marvel. It is a reminder that as browsers and operating systems get harder to break into, attackers are spending more effort on convincing you to break the door open yourself. That is a training problem as much as a security problem.
Expect more ClickFix campaigns, in more languages, aimed at more banks, well into next year.



