Online Security

Cybercriminals Using reCaptcha To Increase Phishing Success Rate

Cyber scammers are starting to use legitimate reCAPTCHA walls to disguise malicious content from email security systems

Cybercriminals Using reCaptcha To Increase Phishing Success Rate

Cybercriminals Using reCaptcha To Increase Phishing Success Rate

Cyber scammers are starting to use legitimate reCAPTCHA walls to disguise malicious content from email security systems, Barracuda Networks has observed. The reCAPTCHA walls prevent email security systems from blocking phishing attacks and make the phishing site more believable in the eyes of the user. Barracuda researchers say malicious hackers are using the reCaptcha test to block URL scanning services from accessing the phishing page content. Legitimate companies use the Google service to deter bots from scraping content.

reCAPTCHA walls are typically used to verify human users before allowing access to web content, thus sophisticated scammers are starting to use the Google-owned service to prevent automated URL analysis systems from accessing the actual content of phishing pages.

Researchers observed that one email credential phishing campaign had sent out more than 128,000 emails to various organizations and employees using reCAPTCHA walls to conceal fake Microsoft login pages. The phishing emails used in this campaign claim that the user has received a voicemail message.

Once the user solves the reCAPTCHA in this campaign, they are redirected to the actual phishing page, which spoofs the appearance of a common Microsoft login page. Unsuspecting users will be unaware that any login information they enter will be sent straight to the cyber scammers, who will likely use this information to hack into the real Microsoft account.

For Steve Peake, UK Systems Engineer Manager at Barracuda Networks, the discovery is hardly a surprise, given the ever-increasing sophistication of hackers, he said:

Fortunately, there are a number of proactive measures employers and business owners can take to prevent a security breach. Most importantly, users must be educated about the threat so they know to be cautious instead of assuming a reCaptcha is a sign that a page is safe,

Fortunately, there are a number of proactive measures employers and business owners can take to prevent a security breach. Most importantly, users must be educated about the threat so they know to be cautious instead of assuming a reCAPTCHA is a sign that a page is safe.

Furthermore, whilst reCAPTCHA based scams make it harder for automated URL analysis to be conducted, sophisticated email security solutions can still detect these phishing attacks using AI-based email protection solutions. Ultimately, however, no security solution will catch everything, and the ability of the users to spot suspicious emails and websites is key.

He also claims that advanced email security solutions would still be able to detect the malicious attempt, even when hidden behind a reCaptcha.

Ultimately no security solution will catch everything. The ability of the users to spot suspicious emails and websites is the key.

As with any email-based phishing, checking for suspicious senders, URLs, and attachments will help users spot this attack before they get to the reCAPTCHA. The email itself is a phishing attack and may be detected by email protection solutions. However, ultimately no security solution will catch everything, and the ability of the users to spot suspicious emails and websites is key.”

 

Rate This And Share:

0 / 5
Tags
Back to top button
Do NOT follow this link or you will be banned from the site!
Close
Send this to a friend