Tue, May 12, 2020

Threat Update: Malicious Use Of reCaptcha

Cybercriminals are continuing to find new techniques to evade detection. Protect your business by keeping your users informed about current attacks. One of the newest tricks is phishing campaigns using reCaptcha walls to block URL scanning services from accessing the content of phishing pages.

Using reCaptcha is a common practice by legitimate companies to deter bots from scraping content. Because end users are so familiar with being asked to solve a reCaptcha and prove they aren’t a robot, malicious use of a real reCaptcha wall also lends more credibility to the phishing site, making users more likely to be tricked.

Highlighted Threat
Email credential phishing campaigns are starting to use reCaptcha walls to prevent automated URL analysis systems from accessing the actual content of phishing pages. The reCaptcha walls make the phishing site more believable in the eyes of the user as well.

While some campaigns spoof the reCaptcha box and only really contain a checkbox and a form, the use of the actual reCaptcha API is becoming increasingly common. This approach is undoubtedly more effective in deterring automated scanners.

In recent weeks, there have been multiple email credential phishing campaigns using reCaptcha walls on links in phishing emails. One campaign had more than 128,000 emails using this technique to obscure fake Microsoft login pages. The phishing emails used in this campaign, like the example shown below, claim that the user has received a voicemail message.

The emails contain an HTML attachment that redirects to a page with a reCaptcha wall. The page doesn’t contain anything other than the reCaptcha, but this is a relatively accepted format for legitimate reCaptchas as well, so it isn’t likely to raise red flags for a user.

Once the user solves the reCaptcha, they are redirected to the actual phishing page, which spoofs the appearance of a typical Microsoft login page. It is not clear whether the page’s appearance matches the user’s legitimate mail server. It’s possible though by using some simple reconnaissance, the attacker could find this sort of information to make the phishing page even more convincing.

Protect Your Business – Educate Your Company Users
The most critical step in protecting against malicious reCaptcha walls is to educate users about the threat, so they know to be cautious instead of assuming a reCaptcha is a sign that a page is safe. Make sure your users know they should exercise scrutiny when seeing reCaptcha walls, especially in unexpected places where legitimate walls have not been encountered in the past.

As with any email-based phishing, checking for suspicious senders, URLs, and attachments will help users spot this attack before they get to the reCaptcha. So, providing users with Centrality’s Security Awareness Training, Email Security Services, and having Cybersecurity with Real-Time, 0-Day Updates will protect your business. For detail on how we can help, contact us at 502-267-2552.

Call Now Button