Cybercriminals are now taking advantage of Google’s reCAPTCHA to hide their phishing or malware campaigns. CAPTCHAs, in simpler terms, are challenges to prove that a user is a human.

Escaping detection with CAPTCHAs

According to researchers from Palo Alto Networks’ Unit 42, malicious campaigns are reusing CAPTCHA service keys to avoid being blocked by reCAPTCHA providers.
  • The goal of such attacks is to hide phishing content behind CAPTCHAs that stop security defenses from detecting malicious content while adding somewhat legitimacy to pages.
  • According to the report, the security firm spotted 7,572 malicious URLs over 4,088 pay-level domains with obfuscation techniques, in the last month itself.
  • Moreover, scam campaigns and malicious gateways are using CAPTCHA evasion as well in their campaigns.

Additional insights

Other categories for such attacks are malware delivery pages and grayware campaigns (e.g. survey and lottery scams) that target valid CAPTCHA services. 
  • In grayware campaigns, targeted victims are baited into revealing their information, such as addresses, date of births, banking info, and annual income.
  • For malware delivery, a URL to a malicious website (delivering malicious JAR files) can be protected with a CAPTCHA challenge to avoid security scanners from scanning the website.
  • In the top ten most popular malicious URLs, six belong to the grayware and four to malware categories. The grayware page that collects info accounted for 51% of the customer visits.


Phishing and malware campaigns are employing new evasion techniques and becoming technically advanced. The use of CAPTCHAs is a prime example, where attackers are escaping detection from security crawlers. However, such phishing pages can be detected with the association of CAPTCHA identifiers that can be used as IOCs to detect such attacks.

Cyware Publisher