Posted on August 20, 2021 at 4:50 PM
Criminals are misusing existing CAPTCHA and deploying fake ones to carry out scams
Online criminals have always been prone to misusing pretty much any security technology and twisting it in a way that fits their needs. However, now they also figured out a way to use CAPTCHA validation tech to their advantage.
According to recent reports, threat actors are abusing Google’s reCAPTCHA, which is an example of misusing legitimate challenge and response services, but they were also caught deploying customized fake CAPTCHA. The report comes from Palo Alto Networks’ Unit 42 researchers, who were quite detailed in their explanation of exploiting CAPTCHA features.
This also includes Google’s so-called reCAPTCHA, also known as I Am Not A Robot Function. Bad actors are misusing these technologies to carry out scams against unsuspecting users.
How do the attacks work?
According to Unit 42’s explanation, hackers are launching cyberattacks by using fake CAPTCHA-like services, particularly for conducting phishing campaigns. There have been numerous malicious campaigns that researchers managed to identify, that abuse this technology. In fact, researchers have noted that it is becoming something of a trend, with CAPTCHA-protected phishing pages growing in number.
The campaign is actually rather simple, which is what makes it so successful. Instead of trying to figure out complex ways or invent new software that would hide phishing content from security crawlers that would otherwise detect them with ease, hackers simply started using CAPTCHAs to protect their phishing pages.
With CAPTCHAs requiring a human to complete them, security bots could not register pages as phishing content. Furthermore, regular users would see CAPTCHAs and believe that the page is legitimate, given that no one would expect a phishing page to be hidden behind a security measure.
Palo Alto Networks’ researchers are warning that this method of tricking users and security software alike is becoming extremely modern. They managed to detect 7,572 unique malicious URLs protected by this method in one month alone.
Of course, while phishing seems to be the most common type of attack protected by misusing CAPTCHAs, it is far from being the only one. CAPTCHAs are also being used to launch scams or use malicious attacks. Lottery and survey scams are becoming increasingly popular, as researchers reported that they are among the most common grayware pages.
This is also rather simple in theory, with the users being promised a chance to win large amounts of money through lotteries. Alternatively, there are even deals where they are offered major payments in exchange for sensitive data, like their address, date of birth, banking details, annual income, and more. It is all completely fake, of course, as no payments would ever arrive. In addition, users could also be infected with malware through these pages.
How did researchers recognize malicious URLs?
So, how did researchers identify these malicious URLs? Well, according to Unit 42, researchers managed to detect phishing attempts through the association of CAPTCHA keys. What this means is that CAPTCHA pages need to have sub-requests parsed in HTML. This reveals reCAPTCHA API key that is used in the URL parameters.
Researchers explained that, when threat actors use various services, tools, infrastructure, and alike across their ecosystem of malware-infected sites, there is an opportunity for security researchers to leverage these indicators against the hackers. Coincidentally, CAPTCHA identifiers are an excellent example of such detection by association.
Another thing worth noting is that there is essentially no limit to what bad actors can use and misuse in order to trick people out of their data and often money. Whether it is phishing or some kind of malware, even the technologies originally meant to keep the users of the internet safe can now be used against them. So, users are advised to access unfamiliar websites with extreme caution.
Also, no one gives money away for free, and any such deal that seems too good to be true most likely is.