SweetCAPTCHA is a free service that offers good-looking images instead of the classic captchas made of cryptic digits and characters. It is available for a number of platforms including WordPress, Drupal, and Joomla!
Malicious scripts by SweetCaptcha
Sucuri, a well-known company that works on online security, reports that many websites using SweetCaptcha are affected by malicious popups and ads.
Occasionally, some visitors see popups that promote tech support for security errors.
hxxp://www . sweetcaptcha . com/api/v2/apps/csrf/(digit_id)?ver=3.1.0
which loads the malicious code.
5.2 You acknowledge that within the sweetCAPTCHA service and/or sweetCAPTCHA API, There might be included 3rd party content which will be displayed for the purpose of user interaction. This content might include but will not be limited to ads, banners, links, search engine input fields and etc.
This gives an explaination of this problem.
Adware history of SweetCaptcha
It’s not the first time that SweetCaptcha injects this kind of malicious code into websites using their service. Back in September of 2014 a user reported an unwanted search bar in WordPress forums. SweetCaptcha replied with this explanation:
SweetCaptcha is a FREE project, we had some pilots for a very short time with monetization solutions back in the past, but they were just pilots, meaning ended long time ago.
sweetCaptcha was always Free from ads and will stay so.
In Sucuri blog post about this malware you’ll find links to a number of support threads on the WordPress plugin’s forum starting from June 8, 2015 reporting a new wave of ads coming from that service. So, it’s not really free from ads.
Let me suggest you just a few steps to take in order to stay free from malware ads:
- Don’t use SweetCaptcha any more.
- Read terms of service for anything you use.
- Think twice before adding third-party scripts in your website. You lose control over your web pages’ content.
I’ll not tell you to temporarily stop using this service. You should stop forever. There are various ways to maintain a free service, but malware is one that should never be accepted. Services that want to live by injecting malware on their users’ websites should die.