reCaptcha walls, the online service used for human verification, has been reportedly used by cyberattackers to conduct new waves of phishing attacks.
Scammers leveraging reCaptcha walls
In a recent campaign, scammers were seen using the legitimate reCaptcha walls for a phishing email scam involving a fake Microsoft login page.
- Sophisticated scammers have identified a way to use the reCaptcha service to prevent automated URL analysis systems from analyzing the actual content of phishing pages, making these scams more realistic to their victims.
- A single phishing campaign was identified by the security firm, Barracuda Networks, in which 128,000 emails were sent to a variety of organizations and employees using reCAPTCHA walls, posing as fake Microsoft login pages.
- One of the sample phishing emails included a voicemail message received by the victim. Upon clicking, it took users to a genuine-looking page with a reCaptcha wall.
- Solving the reCAPTCHA wall redirects the victims to a fake Microsoft login page, asking users for Microsoft credentials to proceed, which are then sent straight to the fraudsters.
The reCaptcha under test
There have been several attempts to break the reCaptcha security.
- In November 2019, a research-focused Burp Suite extension called Turbo Intruder was developed, that could be used to partially bypass Google’s reCAPTCHA security.
- In March 2019, some researchers were able to develop an artificial intelligence code, that could fool Google’s reCAPTCHA tests into thinking that the user is a genuine human being and not an automated code.
How to prevent from reCaptcha attacks
Here are some guidelines to defend against reCaptcha related concerns.
- Do not blindly trust any website as genuine just because it is using the reCaptcha-based user validation.
- For the website using reCaptcha, an additional authentication factor, like a mobile-based OTP, can be added as an extra layer of security.