3 min read

Cybercriminals are using Google reCAPTCHA to hide their phishing attacks

Graham CLULEY

April 30, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Cybercriminals are using Google reCAPTCHA to hide their phishing attacks

I doubt any of us would claim to be fans of CAPTCHA – the puzzles that a website asks you to complete to prove if you’re a human being or not.

Unscrambling a distorted graphic to try to read the letters jumbled within, or select only the images containing a traffic night, can be too much of a challenge for some of us to successfully complete on our first (and sometimes even our second and third) attempt.

But they do, of course, lend a hand in keeping automated bots away – helping to prevent them from creating bogus accounts or leave spammy messages on a website comment form.

And, in fairness, modern implementations like Google reCAPTCHA version 3 have changed the way that CAPTCHA systems work, often asking users just to click a box saying “I’m not a robot.” rather than detect all the images with a bicycle.

But researchers at Barracuda say that they are seeing cybercriminals deploying Google’s reCAPTCHA anti-bot tool in an effort to avoid early detection of their malicious campaigns.

As the researchers explain, criminals are using reCAPTCHA walls to block the content of their phishing pages from being scanned by URL scanning services.

In other words, the reCAPTCHA system doesn’t just block malicious bots – it also successfully prevents benign bots, such as an automated system which checks the safety of URLs in an email before a feeble-minded human clicks on them.

In short, automated URL analysis systems cannot access the actual content of the phishing page, and so they are not able to use any of the information contained upon it when assessing if a link is safe to click on or not.

Furthermore, the researchers claim that humans may actually find the presence of a reCAPTCHA test reassuring, and as a consequence find the phishing site more believable.

Barracuda’s team point to a recent phishing campaign sent to over 128,000 email addresses as an example of the technique in operation.

The phishing attack posed as a new voicemail notification, which encouraged recipients to open an attachment to listen to the voice message that they had missed.

The attached file was an HTML file that redirected users to a webpage containing nothing but a Google reCAPTCHA.

Completing the reCAPTCHA resulted in users being redirected to a phishing page, which in this case purported to be the genuine Microsoft login page – but designed to steal passwords.

Remember this – no security solution is likely to be 100% effective, and the presence of a Google reCAPTCHA does not guarantee that what it is protecting can be trusted.

Always exercise careful judgement about where you enter sensitive information, and consider using a password manager.

Good password managers continue to be a strong defence against phishing. A password manager will not prompt you to enter your passwords on a domain that it does not recognise – meaning that even if a phishing site looks like a genuine webpage, it will not offer to enter your credentials unless it recognises the URL in the browser bar. Phishing prevention is one of the best reasons to run a password manager, but often overlooked.

tags


Author



Right now

Top posts

What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Chinese criminals scam kids desperate to play games for more than three hours a week Chinese criminals scam kids desperate to play games for more than three hours a week
Graham CLULEY

August 12, 2022

2 min read
Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach
Silviu STAHIE

August 09, 2022

1 min read
Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down
Silviu STAHIE

August 05, 2022

1 min read