In the never-ending battle between cybersecurity and cybercrime, cybercriminals continue to find new techniques to evade detection. One such trick Barracuda researchers have started seeing more often in phishing campaigns uses reCaptcha walls to block URL scanning services from accessing the content of phishing pages.
This technique is commonly used by legitimate companies to deter bots from scraping content. Because end users are so familiar with being asked to solve a reCaptcha and prove they aren’t a robot, malicious use of a real reCaptcha wall also lends more credibility to the phishing site, making users more likely to be tricked.
Highlighted Threat
Malicious use of reCaptcha walls — Email credential phishing campaigns are starting to use reCaptcha walls to prevent automated URL analysis systems from accessing the actual content of phishing pages. The reCaptcha walls make the phishing site more believable in the eyes of the user as well.
While some campaigns simply spoof the reCaptcha box and only really contain a checkbox and a form, the use of the actual reCaptcha API is becoming increasingly common. This approach is undoubtedly more effective in deterring automated scanners because a fake reCaptcha box could easily be programmatically bypassed by simply submitting the form.
That is likely why Barracuda researchers are observing fewer fake reCaptcha boxes. In the samples examined for this report, only one email with a fake reCaptcha box was detected, compared to more than 100,000 emails using the real API.
The Details
In recent weeks, Barracuda researchers have observed multiple email credential phishing campaigns using reCaptcha walls on links in phishing emails. One campaign had more than 128,000 emails using this technique to obfuscate fake Microsoft login pages. The phishing emails used in this campaign, like the example shown below, claim that the user has received a voicemail message.
The emails contain an HTML attachment that redirects to a page with a reCaptcha wall. The page doesn’t contain anything other than the reCaptcha, but this is fairly common format for legitimate reCaptchas as well, so it isn’t likely to raise red flags for a user.
Once the user solves the reCaptcha in this campaign, they are redirected to the actual phishing page, which spoofs the appearance of a common Microsoft login page. It is not clear whether the page’s appearance matches the user’s legitimate mail server, but it’s possible that using some simple reconnaissance the attacker could find this sort of information to make the phishing page even more convincing.
How to Protect Against This Threat
The most important step in protecting against malicious reCaptcha walls is to educate users about the threat so they know to be cautious instead of assuming a reCaptcha is a sign that a page is safe. Users should exercise scrutiny when seeing reCaptcha walls, especially in unexpected places where legitimate walls have not been encountered in the past.
As with any email-based phishing, checking for suspicious senders, URLs, and attachments will help users spot this attack before they get to the reCaptcha. So, providing users with security awareness training and a solid foundation in how to recognize phishing attacks and how to report them will also help protect against this type of attack.
While this trick with reCaptcha makes it harder for automated URL analysis to be done, the email itself still a phishing attack and may be detected by email protection solutions. Ultimately, however, no security solution will catch everything, and the ability of the users to spot suspicious emails and websites is key.
Serious threats may be hiding in your Office 365 mailboxes.
It’s critical to assess and understand your email security vulnerabilities. Using artificial intelligence and API integration with Office 365, the Barracuda Email Threat Scanner quickly and effectively finds social engineering attacks currently sitting in your mailboxes.
Scan your Office 365 environment. It’s fast, free and safe—with no impact on email performance. Scan your email now.
Originally published on the Barracuda Blog, April 30, 2020, by Jonathan Tanner.