Cyber crooks use CAPTCHAs to avoid detection

Read time 1min 50sec

While proving that you are a human, not a robot, via a CAPTHCA test may seem harmless,  bad actors are eyeing these tests as a new way to redirect users to pages with malicious intent.

CAPTCHA, which stands for Completely Automated Public Turing, is a security measure known as challenge-response authentication. It usually made up of a randomly generated sequence of letters or numbers that appear as a distorted image, and a text box. To prove their human identity,  uses simply type the characters they see in the image into the text box. 

Anna Collard, SVP of content strategy and evangelist for KnowBe4 Africa, says potentially malicious CAPTCHA redirects have been found on what should be safe and legitimate Web pages.  She says attackers are not only using CAPTCHAs to hide their phishing sites from security scanners, they are now using CAPTCHA redirects in phishing emails, as well as pop-ups on legitimate websites, to fool users into clicking on a link and sharing sensitive information.

Zscaler’s threat research team, ThreatLabZ, noted a series of Microsoft-themed phishing attacks aimed at senior employees at multiple organisations. The researchers found that the phishing links sent the victims to a fake reCAPTCHA page to add legitimacy to the campaign, only then forwarding them to a credential harvesting login portal.

Another phishing attack, found late last year by Armorblox, purported to come from Netflix customer support with a payment issue and used a CAPTCHA landing page before taking the target to a spoofed Netflix login page.

“Cyber criminals are becoming more sophisticated and their techniques harder to spot all the time," says Colllard. "The last line of defence is a well-prepared and vigilant user who, through continual security awareness training, is always on the lookout for suspicious email content, links and pop-ups that may be the launching point for the next cyber attack.” 

See also