Researchers at Barracuda Networks have reported an increase in phishing attacks using official reCAPTCHA walls to avoid detection from email security solutions. This technique of phishing hides the malicious content and tricks unsuspecting naive users.
Purpose of reCAPTCHA
reCAPTCHA walls are typically used to verify and differentiate between human users and bots. Once the human intervention is verified only then access to web content is allowed. It is also commonly used as one of the MFA (multi-factor authentication) techniques, which helps legitimate companies restrict bots from scraping and hijacking their content.
Ultimately no security solution will catch everything. The ability of the users to spot suspicious emails and websites is the key.
Phishing Campaigns Using reCAPTCHA Walls
It seems that cybercriminals, however, have now started using reCAPTCHA walls service for preventing automated URL analysis systems from accessing the malicious content and code on the phishing pages. Researchers said that these phishing sites look more credible to the human-eye than those used in other campaigns.
Researchers added that one of the phishing campaigns sent out 128,000 emails to several organizations and its employees using reCAPTCHA walls to disguise fake Microsoft log-in pages. This sophisticated campaign used a voicemail receipt to fool users into solving the reCAPTCHA wall before being redirected to the malicious page. All the login credentials entered thereafter were sent straight to the cybercriminals.
Steps to Protect
Jonathon Tanner, Senior Security Researcher at Barracuda Networks said in the blog, “The most important step in protecting against malicious reCAPTCHA walls is to educate users about the threat so they know how to be cautious instead of assuming reCAPTCHA is a sign that a page is safe. Users should exercise scrutiny when seeing reCAPTCHA walls, especially in unexpected places where legitimate walls have not been encountered in the past.
As with any email-based phishing, checking for suspicious senders, URLs, and attachments will help users spot this attack before they get to the reCAPTCHA. The email itself is a phishing attack and may be detected by email protection solutions. However, ultimately no security solution will catch everything, and the ability of the users to spot suspicious emails and websites is key.”