Industry News

Cybercriminals are using Google reCAPTCHA to hide their phishing attacks

Cybercriminal are using Google reCAPTCHA to hide their phishing attacks

I doubt any of us would claim to be fans of CAPTCHA – the puzzles that a website asks you to complete to prove if you’re a human being or not.

Unscrambling a distorted graphic to try to read the letters jumbled within, or select only the images containing a traffic night, can be too much of a challenge for some of us to successfully complete on our first (and sometimes even our second and third) attempt.

But they do, of course, lend a hand in keeping automated bots away – helping to prevent them from creating bogus accounts or leave spammy messages on a website comment form.

And, in fairness, modern implementations like Google reCAPTCHA version 3 have changed the way that CAPTCHA systems work, often asking users just to click a box saying “I’m not a robot.” rather than detect all the images with a bicycle.

But researchers at Barracuda say that they are seeing cybercriminals deploying Google’s reCAPTCHA anti-bot tool in an effort to avoid early detection of their malicious campaigns.

As the researchers explain, criminals are using reCAPTCHA walls to block the content of their phishing pages from being scanned by URL scanning services.

In other words, the reCAPTCHA system doesn’t just block malicious bots – it also successfully prevents benign bots, such as an automated system which checks the safety of URLs in an email before a feeble-minded human clicks on them.

In short, automated URL analysis systems cannot access the actual content of the phishing page, and so they are not able to use any of the information contained upon it when assessing if a link is safe to click on or not.

Furthermore, the researchers claim that humans may actually find the presence of a reCAPTCHA test reassuring, and as a consequence find the phishing site more believable.

Barracuda’s team point to a recent phishing campaign sent to over 128,000 email addresses as an example of the technique in operation.

The phishing attack posed as a new voicemail notification, which encouraged recipients to open an attachment to listen to the voice message that they had missed.

The attached file was an HTML file that redirected users to a webpage containing nothing but a Google reCAPTCHA.

Completing the reCAPTCHA resulted in users being redirected to a phishing page, which in this case purported to be the genuine Microsoft login page – but designed to steal passwords.

Remember this – no security solution is likely to be 100% effective, and the presence of a Google reCAPTCHA does not guarantee that what it is protecting can be trusted.

Always exercise careful judgement about where you enter sensitive information, and consider using a password manager.

Good password managers continue to be a strong defence against phishing. A password manager will not prompt you to enter your passwords on a domain that it does not recognise – meaning that even if a phishing site looks like a genuine webpage, it will not offer to enter your credentials unless it recognises the URL in the browser bar. Phishing prevention is one of the best reasons to run a password manager, but often overlooked.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.