Phishing Scam Cloaks Malware With Fake Google reCAPTCHA

banking malware google recaptcha

Phishing emails target a bank’s users with malware – and make their landing page look more legitimate with fake Google reCAPTCHAs.

A recently-discovered phishing scam was found peddling malware, using a new technique to mask its malicious landing page: A fake Google reCAPTCHA system.

The campaign targeted a Polish bank and its users with emails, said researchers with Sucuri. These emails contained a link to a malicious PHP file, which eventually downloaded the BankBot malware onto victims’ systems.

This Android-targeted banking malware, first discovered in 2016, is a remotely controlled Android banking trojan capable of stealing banking details by impersonating bank apps, looking at text messages and displaying unsolicited push notifications. In this specific case, BankBot was scooping up various private data, including SMS and call logs, contacts and location, researchers said.

“During a recent investigation, we discovered a malicious file related to a phishing campaign that targeted a Polish bank,” said Luke Leak with Sucuri, in a Thursday analysis. “This campaign employed both the impersonation and panic/bait techniques within an email in order to lure victims into downloading banking malware.”


The emails asked victims for confirmation for a recent transaction, along with a link to a malicious PHP file. Researchers said that users of the bank who saw the email would likely be alarmed that it was asking for confirmation of an unknown transaction, prompting them to click the malicious link.

“This makes it a bit more unique from the phishing content that we typically find, which often consists of a PHP mailer and file(s) used to construct the phishing page itself,” said Leak. “In most cases, it’s just a replica of the login page for whatever institution they are targeting.”

When the victims clicked on the link, the malicious PHP file would send them a fake “404 error” page. The PHP code then loaded a fake Google reCAPTCHA using a combination of HTML elements and JavaScript. reCAPTCHA is Google’s authentication mechanism  used for distinguishing bots from true site users.

The fake reCAPTCHA looks real, and makes victims feel as though the landing page is legitimate, researchers said.

“This page does a decent job at replicating the look of Google’s reCAPTCHA, but since it relies on static elements, the images will always be the same unless the malicious PHP file’s coding is changed,” said Leak. “It also doesn’t support audio replay, unlike the real version.”

google recaptcha phishing scam The PHP code then determined which form of malware to download on the victim’s device. If the victim uses Android, it would drop a malicious .apk, and if not, it downloaded a .zip dropper.

Besides “BankBot,” the Android malware is also labeled as “Banker” and “Artemis” on VirusTotal by varying anti-virus programs.

“Shortly after the discovery of the apps trojanized with BankBot on Google Play in the beginning of 2017, we have confirmed that the malicious apps were derived from source code made public on underground forums in December 2016,” said ESET researchers, in an analysis of BankBot. “The public availability of the code has led to a surge in both the number and sophistication of mobile banking trojans.”

Phishing scams have continued to step up their game over the past year, with bad actors are continuously updating their methods to become trickier. That includes using new tactics like Google Translate or  custom fonts to make the scams seem more legitimate.

Leak said this type of phishing campaign “can cause serious headaches for website owners.”

“The malicious directories used in these campaigns are uploaded to a website after it has been compromised,” said Leak. “When dealing with this type of malware, it is important to delete the files contained in a complaint, however; we strongly encourage administrators to scan all other existing website files and database for malware as well. You’ll also want to update all of your passwords to prevent the attackers from accessing the environment again.”

Suggested articles