Hackers hijack reCaptcha walls to increase phishing attack effectiveness

Barracuda Networks Global Threat Spotlight report reveals that there have been 128,000 emails to various organisations and employees using reCaptcha walls to conceal fake Microsoft login pages as cyber risk grows during Covid-19 outbreak

by Patrick Sullivan, Political Editor on 30 April 2020 11:07


Cyber criminals are starting to use legitimate reCaptcha walls to disguise malicious content from email security systems, Barracuda Networks, the trusted partner and leading provider for cloud-enabled security solutions, has observed.

The reCaptcha walls prevent email security systems from blocking phishing attacks and make the phishing site more believable in the eyes of the user.

ReCaptcha walls are typically used to verify human users before allowing access to web content, thus sophisticated scammers are starting to use the Google-owned service to prevent automated URL analysis systems from accessing the actual content of phishing pages.

Barracuda researchers observed that one email credential phishing campaign had sent out more than 128,000 emails to various organisations and employees using reCaptcha walls to conceal fake Microsoft login pages.

The phishing emails used in this campaign claim that the user has received a voicemail message. Once the user solves the reCaptcha in this campaign, they are redirected to the actual phishing page, which spoofs the appearance of a common Microsoft login page.

Unsuspecting users will be unaware that any login information they enter will be sent straight to the cyber scammers, who will likely use this information to hack into the real Microsoft account.

Cyber chief Steve Peake, UK Systems Engineer Manager, Barracuda Networks warned, “In this difficult time, it is no surprise to see that cyber scammers are seeking increasingly sophisticated methods of stealing log-in credentials and data from unsuspecting, remote workers.

“Fortunately, there are a number of proactive measures employers and business owners can take to prevent a security breach. Most importantly, users must be educated about the threat so they know to be cautious instead of assuming a reCaptcha is a sign that a page is safe.

“Furthermore, whilst reCaptcha based scams make it harder for automated URL analysis to be conducted, sophisticated email security solutions can still detect these phishing attacks using AI-based email protection solutions. Ultimately, however, no security solution will catch everything, and the ability of the users to spot suspicious emails and websites is key,” concluded Peake.

blog comments powered by Disqus