Cyberattackers Increasingly Abuse CAPTCHAs to Hide Phishing & Malware

Cyberattackers Increasingly Abuse CAPTCHAs to Hide Phishing & Malware

The number of CAPTCHA-protected malicious URLs has sharply increased recently, researchers said.

Cyberattackers are using reCAPTCHA and other alternative services to hide their phishing links and for other malicious activities. However, these techniques may be losing their effectiveness, according to Palo Alto Networks’ Unit 42 researchers.

As a quick reminder, CAPTCHA is a type of anti-robot test on websites and in apps that asks users to confirm that they’re human. They usually involve clicking on photos and typing in a word that has been blurred or distorted. The idea is to weed out bots, usually on websites that sell goods and services online.

But they serve the same purpose for crooks: they thwart cybersecurity analysis.

“Hiding phishing content behind CAPTCHAs prevents security crawlers from detecting malicious content and adds a legitimate look to phishing login pages,” according to a Friday blog post by Unit 42.

Phishing actors are increasingly using a technique that involves a CAPTCHA. Unit 42 found over 4,088 pay-level domains hiding 7,572 unique malicious URLs that used this obfuscation method. There are 529 new CAPTCHA-protected malicious URLs per day, according to their research.

Aside from the usual phishing campaigns, there’s also been a spike in the number of malicious gateways and scam campaigns using CAPTCHA evasion.

“Survey and lottery scams are some of the most common grayware pages,” according to the posting. “In exchange for a fake payment or chance at winning the lottery, the user is lured into disclosing sensitive information, including address, date of birth, banking information, annual income, etc.”

Usually, the attackers’ web pages show CAPTCHAs only if they suspect automation based on IP address and browser version, to have as little friction as possible.

There are other tactics that exploit legitimate CAPTCHA services. One is malware delivery pages.

“For example, the URL hxxps://davidemoscato[.]com serves a malicious JAR file that is hidden from security scanners by protecting the page with a CAPTCHA challenge,” researchers noted.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.