Cyberattackers Embrace CAPTCHAs to Hide Phishing, Malware

CAPTCHA-protected malicious URLs are snowballing lately, researchers said.

Cyberattackers are using Google’s reCAPTCHA (aka the “I am not a robot” function) and fake CAPTCHA-like services to obscure various phishing and other campaigns, according to researchers. There are signs however that those evasion efforts may be losing their efficacy.

CAPTCHAs are familiar to most internet users as the challenges that are used to confirm that they’re human. The Turing test-ish puzzles usually involve clicking all photos in a grid that contain a certain object, or typing in a word presented as blurred or distorted text.

The idea is to weed out bots on eCommerce and online account sites – and they serve the same purpose for crooks.

Infosec Insiders Newsletter

“Hiding phishing content behind CAPTCHAs prevents security crawlers from detecting malicious content and adds a legitimate look to phishing login pages,” according to a Friday writeup from Palo Alto Networks’ Unit 42.

Though it’s far from new, it’s an increasingly popular technique: Just in the last month, the firm found 7,572 unique malicious URLs over 4,088 pay-level domains employing the obfuscation method. That’s an average of 529 new CAPTCHA-protected malicious URLs per day.

Beyond Phishing: New Categories of Malicious URLs

Besides the endless litany of phishing campaigns, scam campaigns and malicious gateways using CAPTCHA evasion are on the rise, according to Unit 42.

“Survey and lottery scams are some of the most common grayware pages,” according to the posting. “In exchange for a fake payment or chance at winning the lottery, the user is lured into disclosing sensitive information, including address, date of birth, banking information, annual income, etc.”

Often, these pages show CAPTCHA challenges only if they suspect automation based on IP and browser versions, researchers said – so as to make it as easy as possible to sucker visitors.

Another growing category is malware delivery pages abusing legitimate CAPTCHA services.

“For example, the URL hxxps://davidemoscato[.]com serves a malicious JAR file that is hidden from security scanners by protecting the page with a CAPTCHA challenge,” researchers noted.

How to Find CAPTCHA-Protected Malicious Sites

The good news is that Unit 42 researchers said that it’s possible to detect phishing pages through the association of CAPTCHA keys.

The page housing the CAPTCHA will have sub-requests that can be parsed in the HTML, which reveal the reCAPTCHA API key used in the URL parameters, researchers said. Such identifiers can be parsed out and searched for on other pages.

“We see many malicious campaigns reuse CAPTCHA service keys, either to simplify their malware infrastructure or to avoid being blocked by the legitimate reCAPTCHA provider for creating too many CAPTCHA accounts and keys,” they explained.

For example, in one case a webpage targeting Microsoft credentials using the same key as a separate URL used for Apple ID phishing, according to the report.

“Mass phishing and grayware campaigns have become more sophisticated, using evasion techniques to escape detection by automated security crawlers,” researchers concluded. “Fortunately, when malicious actors use infrastructure, services or tools across their ecosystem of malicious websites, we have a chance to leverage these indicators against them. CAPTCHA identifiers are one great example of such detection by association.”

Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs. Find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.


Suggested articles