Cybercriminals Now Leverage reCAPTCHA Walls to Appear Legitimate

Scammers leveraging reCaptcha walls

• Sophisticated scammers have identified a way to use the reCaptcha service to prevent automated URL analysis systems from analyzing the actual content of phishing pages, making these scams more realistic to their victims.
• A single phishing campaign was identified by the security firm, Barracuda Networks, in which 128,000 emails were sent to a variety of organizations and employees using reCAPTCHA walls, posing as fake Microsoft login pages.
• One of the sample phishing emails included a voicemail message received by the victim. Upon clicking, it took users to a genuine-looking page with a reCaptcha wall.
• Solving the reCAPTCHA wall redirects the victims to a fake Microsoft login page, asking users for Microsoft credentials to proceed, which are then sent straight to the fraudsters. 

The reCaptcha under test

• In November 2019, a research-focused Burp Suite extension called Turbo Intruder was developed, that could be used to partially bypass Google’s reCAPTCHA security.
• In March 2019, some researchers were able to develop an artificial intelligence code, that could fool Google’s reCAPTCHA tests into thinking that the user is a genuine human being and not an automated code.
• In February 2019, a phishing campaign was spotted targeting a Polish bank, in which a fake Google reCAPTCHA was used to lure victims, using some static HTML elements and JavaScript.

How to prevent from reCaptcha attacks

• Do not blindly trust any website as genuine just because it is using the reCaptcha-based user validation. 
• For the website using reCaptcha, an additional authentication factor, like a mobile-based OTP, can be added as an extra layer of security.