reCaptcha Becomes a Phishing Tool

Photo credit: iStockphoto/chingyunsong

reCaptcha, the human verification system that blocks bots from scraping content, is now being used to block URL scanning services.

Barracuda Networks researchers have noted an uptick in phishing campaigns that use the familiar reCaptcha walls to block URL scanning of actual content at phishing pages.

Part of the reason for their rising popularity is user familiarity. The reCaptcha technique is widely used to verify whether the visitor is a bot or human. This familiarity makes a phishing site that uses the same technique to prevent automated URL scans appear trustworthy.

Like every phishing campaign, there are varieties. Some campaigns spoof the reCaptcha box and only contains a checkbox and a form; others use the actual reCaptcha API. The latter is more effective in deterring automated scanners because submitting a form can bypass a fake reCaptcha box.

Barracuda Networks researchers have observed multiple email credential phishing campaigns using reCaptcha walls on links in phishing emails. One had over 128,000 emails using this technique to hide fake Microsoft login pages.

Often, the phishing emails contain an HTML attachment that redirects to a page with a reCaptcha wall. Since this approach is common for legitimate reCaptchas, users would not notice.

Once the user solves the reCaptcha, they are redirected to the actual phishing page, which spoofs the appearance of a common Microsoft login page.

Education will be a key defense against malicious reCaptcha walls. Users will need to cautious about a reCaptcha is a sign that a page is safe. Users should also scrutinize the reCaptcha walls in unexpected places.

While the use of reCaptcha walls makes it harder for automated URL analysis, the email is still a phishing attack thatemail protection solutions can detect.

Photo credit: iStockphoto/chingyunsong