Cybersecurity experts have Avanan discovered in February 2022 that the CAPTCHA forms scam that began in April 2021 has resurfaced with a more credible and more robust attack scheme. While the initial attack scheme took advantage of scanners’ trust in Google’s reCAPTCHA product, this time around, the adversaries have used the compromised domain of a university to send legitimate-looking emails to end-users which culminate in CAPTCHA scams.

What are CAPTCHAs?

While browsing online for articles, registering ourselves on various websites, or creating accounts online, we are often asked to check a box that checks if we are a robot. This test is accompanied by a seemingly redundant test of intelligence which usually asks us to solve a basic math problem, detect the square boxes with traffic lights, or do other cognitively easy tasks. These tests are known as CAPTCHAs which stands for Completely Automated Public Turing test to tell Computers and Humans Apart.

Google’s reCAPTCHA is regarded as one of the most popular CAPTCHA forms. Since Google is a trusted name among security scanners, using its reCAPTCHA service ensures that the threat actors make a swift entry into many allowlists.

 

What Happened Earlier?

In April 2021, Avanan demonstrated how adversaries could bypass secure email gateways (SEGs) using CAPTCHA forms. Typically, reCAPTCHA services make connections to Google’s IP addresses and remain in an SEG’S allowlist. Avanan reported that the adversaries could exploit this blindspot by sending phishing emails to end-users and redirecting them to a phished website where they need to fill out a CAPTCHA form to prove that they are not crawlers and scanners.

Thus, a scam does not become apparent until the user solves the CAPTCHA challenge and heads to the next page, which asks them to log in to their Microsoft account. In other words, the adversaries misused the trust scanners placed on Google’s reCAPTCHA product in this attack scheme.

 

What is the Present Attack Vector?

In the present attack, the attackers use CAPTCHA forms to bypass scanners. This attack comes after a year of the CAPTCHA exploitation demonstration by Avanan. The adversaries have used the same technique and enhanced their credibility by bringing a University domain into the picture.

The threat actors have used a previously compromised University email domain to send phishing emails to users. These emails are aimed at credential harvesting using impersonation and CAPTCHA forms. The attack scheme can affect anyone on the internet and be a severe threat actor. Because the phishing emails come from legitimate domains, adversaries can easily fool scanners and get into users’ inboxes. Then, all a user needs to do is open the malicious email and follow its instructions.

 

How is the Attack Executed?

The attackers have used CAPTCHA forms to evade phishing detection filters in the current attack. In such a CAPTCHA-themed attack, the end-users first receive a legitimate-looking email that claims to contain a faxed document as a PDF attachment. Trying to open the PDF leads users to a fake site with a CAPTCHA form. Once users solve the CAPTCHA, they are directed to a Microsoft OneDrive login page, where they are asked to enter their email address and password to access the PDF.

In essence, the phishing email contains a seemingly harmless reCAPTCHA that the mail client won’t be able to solve. Hence, the attachment will not be scanned for malicious contents. Further, the email comes from a legitimate domain (a compromised university site) which acts as yet another proof of the email’s authenticity.

This is how the adversaries steal user credentials. The stolen credentials can be easily used to launch targeted phishing attacks or even be sold on the dark web, which pushes victims towards other cyber threats.

 

Detecting The Attack

The site URL where users are redirected to (after clicking on the attached document), the word ‘Storage’ has a  zero, not an ‘O’. In addition, the term ‘Outlook’ has also been misspelled. Therefore, users need to observe, scan and analyze the URL to detect these purposely committed errors.

 

Protect from these CAPTCHA Scams

Since solving CAPTCHA codes is an elementary (and often mandatory) security process to ensure that bots do not intrude into website operations, it might not be possible to do away with CAPTCHA forms just because adversaries are trying to conduct credential theft. Users need to be more aware of their actions online and constantly question whether a website or URL leads them to what it promises or whether there is some ambiguity in the content displayed. As such, there are some security measures that Avanan recommends for users to ensure protection against these attacks.

  • End-users should check the URLs for genuinity before filling out CAPTCHA forms.
  • Try reasoning out whether a PDF file should really be password protected. For instance, a password-protected copy of the account statement makes sense, but a company brochure with password protection should ring the alarm bells.
  • If a faxed document is received, the recipient should always confirm with the sender if they are in the office. Anyone working from home will not be able to send a fax, and that should be enough to stay away from such emails.

 

Final Words

This scam heavily relies on Google’s free reCAPTCHA service to evade security scanning systems. Avanan explains that since security systems can’t possibly block Google, the reCAPTCHA is sure to get delivered. As for the end-users, they may not be able to see the risk associated with solving the CAPTCHA challenge and might be looking at it as a standard security measure. This increases the chance of credential thefts and makes this CAPTCHA form scam such a severe security issue.

Pin It on Pinterest

Share This