Share
FORENSICS / CLOAKING

Fake "Security Verification" CAPTCHA pages: the cloaking gates feeding a supplement scam

On July 9, security researcher Anurag, who posts as @Malwarehunterr, flagged a cluster of odd little websites with names like usevicks.online and guysvick.online. Each is a single page titled "Security Verification" that asks you to prove you are human. We pulled the live pages the next morning. They are not phishing kits and they carry no malware. They are filters. The CAPTCHA is not verifying you for your safety. It is verifying you for the scammer, so that bots, ad reviewers and security scanners never see what waits on the other side.

SafeBrowz Threat Research

Four fake CAPTCHA gates, one supplement funnel

The "Security Verification" pages at usevicks.online, guysvick.online, standbroup.online and updatestday.online are not security checks. They are cloaking gates: AI-generated one-pagers whose only function is to filter out automated visitors and redirect real humans to legacymen.online, the entry point of what its own tracking configuration and naming identify as a supplement-scam funnel. One gate embeds a genuine Cloudflare Turnstile widget, served from the legitimate challenges.cloudflare.com; Cloudflare has nothing to do with the scam, its widget is simply being abused as a bot filter. Another gate does not even bother with a real check: its checkbox is theatre, wired to a 0.8-second timer and a redirect. Every gate loads the same commercial click tracker under the project name "MAXMAN PROST", which matches documented male-enhancement and prostate supplement scam funnels. SafeBrowz has blocklisted all five domains, so tapping any of the red domains in this report runs a live scan that returns danger. If a bare page ever asks you to "verify" before sending you somewhere else entirely, close the tab.

The find: four security checks that secure nothing

Credit where it is due: this cluster was surfaced by researcher Anurag, posting as @Malwarehunterr on X on July 9, 2026. He flagged four live domains hosting near-identical pages titled "Security Verification". We verified the pages first-hand on July 10, while all four gates were still live, and pulled their full source.

Each page looks the same at a glance: a minimal, modern one-pager with a shield motif and a short instruction to confirm you are human before continuing. There is no company name, no navigation, no footer, no privacy policy, no content of any kind behind the check. That absence is the first tell. A real website puts a CAPTCHA in front of something, an account login, a checkout, a comment form. These pages are the CAPTCHA. Solve this one and you unlock nothing. You are simply thrown to a different domain.

The four gates split into two designs, and the difference is instructive.

Inside the pages: one real Turnstile, one fake checkbox, two bare redirects

usevicks.online runs a real Cloudflare Turnstile. The page embeds the genuine Turnstile widget, loaded from challenges.cloudflare.com. To be completely clear: Turnstile is a legitimate anti-bot product that Cloudflare offers to any website for free, and Cloudflare is not compromised or involved here. The scammer simply signed up for the same widget honest sites use, because it does exactly what a cloaking gate needs: it reliably tells humans apart from bots. The twist is in the page's own JavaScript. When Turnstile reports a successful human verification, the script runs window.location.replace and sends the visitor to legacymen.online/p2/. The "verification" verifies you into the funnel.

guysvick.online fakes the whole thing. There is no anti-bot service on this page at all. The checkbox is plain page JavaScript: click it, a setTimeout waits 800 milliseconds to imitate a check, then the redirect fires. Nothing was verified, by anyone, at any point. The page also carries a "Continuar" button, Spanish and Portuguese for "continue", which suggests at least part of this traffic is being bought in Latin America. Two versions of one gate, real challenge and pure theatre, tell you the operator is testing what converts.

standbroup.online and updatestday.online are thinner still. Both redirect to legacymen.online/m1. The different landing paths, /p2/ from one gate and /m1 from others, are consistent with an affiliate operation splitting and measuring its traffic, which fits what the tracking layer shows next.

Built with an AI site builder, fingerprints included

All four gate pages were generated with Lovable, an AI website builder, and they did not even scrub the evidence: Lovable's meta fingerprints are still sitting in the page source. Lovable, like Turnstile, is a legitimate product being abused. Describe a page in a sentence and the tool builds and hosts it in minutes, which is exactly what a cloaking operation wants, because gate domains are disposable by design. When one gets blocklisted, you generate another.

This is not a one-off abuse either. Proofpoint has documented cybercriminals using Lovable at scale, observing tens of thousands of malicious Lovable-created URLs every month, and BleepingComputer has covered the same trend. The gates in this campaign are a small example of that shift: nobody hand-coded these pages, and nobody needed to. We keep running into AI-generated scam infrastructure, from AI-written phishing emails to fully generated landing pages, and the practical consequence is that "the page looks professionally made" now means nothing at all.

The tracking config names the funnel: MAXMAN PROST

The most valuable forensic detail is not in what the pages show. It is in what they load. Every one of the four gates carries the same click-tracking script, cdn.clkmc.com/cmc.js, from ClickMagick, a commercial click-tracking service used widely and legitimately by affiliate marketers. The embedded configuration uses the tracking uid 210405 on every gate, tying all four domains to one operator, and names the tracking project: "MAXMAN PROST".

That name places the campaign. "Maxman" and prostate-themed offers are staples of a well-documented family of male-enhancement and prostate supplement scam funnels; MalwareTips has published consumer write-ups on offers in this family, including "Prostate Max" and Maxman-style gummies, which are typically promoted through deepfake and AI-generated video ads pushing a so-called "Vicks VapoRub trick" for men. Look back at the gate domains with that in mind: usevicks and guysvick are named for the ad hook itself. One point of hygiene: Vicks VapoRub is an ordinary household product and its maker has nothing to do with any of this; the scam ads borrow the brand name because a familiar product makes an absurd health claim feel testable. That borrowed-trust trick is the same engine behind most of the malicious advertising we cover.

And the destination? At the time of writing, legacymen.online is suspended, returning a 403 error from its CDN at the time of analysis (the domain has since stopped resolving entirely). We never saw the final offer page render, and we will not pretend otherwise. What we can say, and what is enough, is this: by its own tracking configuration and naming, the traffic through these gates was being sold into a supplement-scam funnel. The gate domains from this cluster also appear in a community threat-intelligence pulse on AlienVault OTX, so the indicators are on record for other defenders.

Why put a CAPTCHA in front of a scam?

Because the people the operator most needs to keep out are not people at all.

Every scam funnel that buys traffic has three natural predators, and all three are bots. Ad-platform reviewers crawl an ad's destination URL to check it complies with policy. Security vendors scan URLs to classify them. And search or social crawlers index what they can reach. A CAPTCHA gate defeats all three at once: the automated visitor arrives, cannot or does not complete a human-interaction challenge, and sees only a bland, empty "Security Verification" page with no scam content on it. Nothing to violate policy, nothing to classify as malicious, nothing to index. The human who clicked the deepfake ad, though, taps the checkbox without thinking and is passed straight through to the offer. That is cloaking: showing the machine a clean page and the human a dirty one.

This is the same defensive logic we have documented in fake Cloudflare error pages used as smishing cloaks and in the cloaked fake login pages the FBI warned about, and it is the reason a scam ad can survive review on a legitimate ad network, which we broke down in search-engine phishing through paid ads. What makes this cluster notable is how little infrastructure it needed. This is not one of the commercial traffic-distribution systems that large malvertising crews rent. It is a homemade filter, four AI-generated pages and a stock widget, doing the same job for the price of four cheap .online domains.

One thing this campaign is not: it is not ClickFix. If you have read our teardown of the fake CAPTCHA ClickFix attack, you know that family uses a fake verification to trick you into pasting commands that infect your own computer. The pages in this report do nothing of the sort. There is no clipboard access and no command to run; you click, you get counted, you get redirected. The two scams share only one asset, and it is the important one: your learned reflex. "Prove you are human" boxes are now so routine that most of us complete them on autopilot, and both attack families are built on exactly that autopilot.

🛡 LIVE CHECK

Landed on a "verify you are human" page? Check it here

Paste any suspicious verification page, or any link from an ad or message, before you interact with it. Our 3-layer engine (Local + APIs + AI) returns a verdict in about 3 seconds. Free, no signup. The red domains in this report are live examples: tap one and watch it flag.

Full scan with deep AI analysis → · No URL is logged to your identity.

The five domains, all now flagged

Here is the full cluster. SafeBrowz has blocklisted every one, so each is safe to test from this page: clicking a domain below runs a live scan that returns danger.

  • usevicks.online - gate page with a genuine Cloudflare Turnstile widget; redirects human visitors to legacymen.online/p2/.
  • guysvick.online - gate page with a fake checkbox on an 800-millisecond timer; carries a Spanish/Portuguese "Continuar" button.
  • standbroup.online - gate page redirecting to legacymen.online/m1.
  • updatestday.online - gate page redirecting to legacymen.online/m1.
  • legacymen.online - the funnel destination, currently suspended by its CDN.

A note on scope: the researcher who found this cluster also published other, separate indicators the same day, covering unrelated campaigns. Those are deliberately not part of this report. Everything above is limited to the CAPTCHA-gate cluster we examined ourselves.

Red flags of a fake CAPTCHA gate

  • The CAPTCHA is the entire website. Real sites put a challenge in front of content: a login, a checkout, an article. If the page holds nothing but a shield icon and a checkbox, there is nothing being protected, and the check exists for someone else's benefit.
  • "Verifying" you sends you to a different domain. A genuine verification unlocks the site you are already on. A redirect to a brand-new address the moment you pass is a traffic filter, not a security check.
  • You arrived from a health-miracle or too-good video ad. This cluster is fed by the deepfake "Vicks VapoRub trick" style of supplement ad. The gate exists precisely because the ad could not survive an honest review.
  • The domain is a throwaway. Mashed-up names like usevicks, standbroup or updatestday on cheap TLDs such as .online, .xyz or .top are disposable by design. No real verification service lives on a domain like that.
  • The checkbox "passes" instantly with no challenge. Real Turnstile and reCAPTCHA widgets are served from Cloudflare and Google infrastructure and visibly do work. A checkbox that is just part of the page, ticking itself after a beat, is theatre.
  • The language does not match. A "Continuar" button on an otherwise English page means the kit is being pointed at whatever traffic was cheapest that week.
  • No company, no footer, no policy, no anything. Zero identifying information holds across scam pages of every kind; our guide on how to tell if a website is a scam walks through the full check.

If you clicked through, or bought from the offer

On the pages we examined, passing the gate itself did not install anything or ask for anything; the gates run a tracker and a redirect, and the danger is where they send you. If you only clicked through and closed the tab, no specific cleanup is needed.

If you reached a supplement offer through a page like this and paid, treat it as a card-safety problem, not a shopping problem. Consumer write-ups of this funnel family, including MalwareTips' coverage of Prostate Max and Maxman-style offers, describe misleading claims and billing that is hard to unwind, so move early: check your statement, watch for recurring charges you did not knowingly agree to, and ask your bank to dispute the charge and block further billing from the merchant. Report the ad and the site at reportfraud.ftc.gov if you are in the US. Our step-by-step guide on what to do after getting scammed covers the full sequence, and our explainer on fake online store scams covers the checkout-side red flags.

Flag the fake CAPTCHA gate before it filters you in

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI. Against this campaign specifically:

  • Layer 1 - Local detection: 60+ URL pattern signatures plus a 550+ brand database, with homograph and Punycode checks, running inside the extension before the page renders. The gate pattern here, a nonsense mashed-name on a cheap throwaway TLD like .online, is exactly the disposable-domain profile this layer is built to treat with suspicion.
  • Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus and ScamAdviser feeds plus 30+ scam-TLD lists, alongside our own blocklist. All five domains in this report, the four gates and the legacymen.online destination, have been added to that blocklist, so a scan of any of them returns danger even while a page is freshly live.
  • Layer 3 - AI deep scan (Premium): reads the page the way an analyst would, in 100+ languages. A page titled "Security Verification" whose only real content is a click tracker and a redirect has no legitimate content signature to find, and that emptiness is itself the signal. This is how a brand-new gate on a domain no blocklist has ever seen still gets caught: not by its reputation, but by what the page actually is.

Honest scope: SafeBrowz flags the gate page when your browser lands on it, before the redirect carries you into the funnel. It cannot fact-check the health claims in a video ad you watch inside a social app, and it cannot recover money already paid to a deceptive merchant, so the reflex this report is really about stays with you: a "verify you are human" box on an empty page is not protecting you from bots. It is protecting a scam from scrutiny.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

Flag the next gate before it loads

Add the browser extension, or the SafeBrowz Android app, and every link you open gets checked automatically, before the page renders. The five domains in this report already return danger. Free forever, with optional Premium AI deep scan at $14.99 per year.

Chrome Add to Chrome Firefox Add to Firefox Edge Add to Edge Google Play Get it on Google Play

See pricing and Premium features

Frequently asked questions

Is usevicks.online a real security verification page?

No. usevicks.online is a fake "Security Verification" page that works as a cloaking gate. It embeds a genuine Cloudflare Turnstile widget, but passing the check does not unlock anything: the page's own JavaScript redirects verified humans to legacymen.online, the entry point of a supplement-scam funnel identified by the page's own tracking configuration. The related gates guysvick.online, standbroup.online and updatestday.online work the same way, and all five domains are on the SafeBrowz blocklist, so a scan of any of them returns danger.

Is Cloudflare Turnstile itself a scam?

No. Cloudflare Turnstile is a legitimate anti-bot product served from challenges.cloudflare.com, and Cloudflare is not involved in this campaign. Scammers can sign up for the same free widget that honest websites use, because it reliably separates humans from bots, which is exactly what a cloaking gate needs. Seeing a real Turnstile or reCAPTCHA on a page tells you nothing about whether the page itself is trustworthy.

Why would a scam website put a CAPTCHA in front of itself?

To filter its visitors. Ad-platform reviewers, security scanners and search crawlers are all automated, so they fail or skip a human-interaction challenge and see only an empty, harmless-looking verification page with nothing to flag. Real humans click through and get redirected to the actual scam offer. This technique is called cloaking, and it is how scam ads survive review on legitimate ad networks and how scam pages stay unflagged for longer.

Is this the same as the fake CAPTCHA ClickFix attack?

No, and the difference matters. ClickFix pages use a fake CAPTCHA to instruct you to press keyboard shortcuts and paste commands, which infects your computer with malware. The gates in this campaign never touch your clipboard and never ask you to run anything: you click a checkbox and get redirected into a scam sales funnel. Both rely on the same reflex of completing "prove you are human" checks on autopilot, but one delivers malware and the other filters traffic for a fraudulent offer.

I ordered a supplement through one of these funnels. What should I do?

Treat it as a payment-safety issue. Check your card statement, watch for recurring charges you did not knowingly agree to, and contact your bank to dispute the charge and block further billing from that merchant. Consumer write-ups of this funnel family describe billing that is hard to cancel, so acting early matters. In the US, report the ad and the website at reportfraud.ftc.gov. If you only clicked through a gate page and did not buy or enter anything, no specific cleanup is needed.

Related reading

Bottom line: A CAPTCHA on an empty page is not a security feature, it is a doorman, and you are the one being screened. The "Security Verification" gates at usevicks.online, guysvick.online, standbroup.online and updatestday.online existed to keep bots and reviewers out of a supplement-scam funnel at legacymen.online, and all five now return danger on a SafeBrowz scan. If solving a checkbox on a bare page throws you onto a different domain, you were not verified, you were sorted. Close the tab, check any suspicious link with the free scam checker, and keep SafeBrowz in your browser so the next gate is flagged before it can filter you in.