Hackers Use CAPTCHA To Hide Phishing and Malware
Hackers are using Google's reCAPTCHA and fake, CAPTCHA-like services to hide phishing campaigns, according to researchers. CAPTCHAs are familiar to most internet users where the challenges that are used to confirm that they're human. The puzzles usually involve clicking all photos in a grid that contain a certain object, or typing in a word presented as blurred or distorted text. The idea is to weed out bots on eCommerce and online account sites but they serve the same purpose for cyber-criminals. Hiding phishing content behind CAPTCHAs prevents security bots from detecting malicious content and adds a legitimate look to phishing login pages. In the last month, Unit 42 found over 7,500 unique, malicious URLs in over 4,000 domains using the obfuscation method. Survey and lottery scams are the most common pages. In exchange for a chance at winning the lottery, the victim is tricked into disclosing sensitive information including banking information.
It's possible to detect phishing pages through the association of CAPTCHA keys according to Unit 42 researchers. The page having the CAPTCHA will have sub-requests that can be parsed in the HTML, which reveal the reCAPTCHA API key used in the URL parameters. These identifiers can be parsed out and searched for on other pages. Several malicious campaigns reuse CAPTCHA service keys to simplify their malware infrastructure or to avoid being blocked by the legitimate reCAPTCHA provider for creating too many CAPTCHA accounts and keys.
Mass phishing campaigns have become more sophisticated, using techniques to escape detection by automated security crawlers. When hackers use infrastructure, services or tools across their malicious websites, we can leverage these indicators against them. CAPTCHA identifiers are one great example of such detection by association. Phishing attacks are often sophisticated and highly targeted and tactics continually change to bypass technical and human defenses. To stay one step ahead of the scammers, we need to adopt an in depth approach to security and implement multiple, overlapping layers of security to block threats. If phishers and hackers manage to bypass one layer of security defenses, others should be in place to provide protection.