Cyberattackers targeting the hospitality industry were recently observed using a phishing page that featured CAPTCHA technology as a way to elude detection, as well as to give potential victims a false sense of security that the malicious site was legit.

The scam was revealed yesterday in a blog post from Menlo Security – the latest in a string of reports this year from security companies that have warned of this social engineering and evasion technique. Fortunately, experts say that phishing-site CAPTCHAs sometimes offer visitors – especially attentive ones who are trained in security awareness – certain visual and contextual clues that something is amiss.

A CAPTCHA (sometimes referred to as a reCAPTCHA – a version developed by Google) is a test placed on websites to determine whether a visitor is a genuine human or an unwanted bot. Generally, users are asked to check a box or click on a series of images that contain a specified object, like a traffic light or bicycle.

But Menlo Security and other cyber firms like ArmorbloxKnowBe4 and Barracuda Networks have noted that attackers have been using CAPTCHAs – sometimes multiple layers of them – on their phishing sites to gain two advantages. First, the mechanism defeats certain automated security systems or web crawlers designed to find phishing sites, essentially filtering them out while genuine humans enter their responses and advance to the final landing page with the credentials-phishing form.

Secondly, phishing victims may be more likely to be tricked into thinking the site is on the up and up. “The user is made to think that this is a legitimate site, because their cognitive bias has trained them to believe that checks like these appear only on benign websites,” the Menlo Security blog post said.

“Cognitive bias is the concept of creating a norm/standard for ourselves, based on all the information we derive from the world around us,” Vinay Pidathala, director of security research at Menlo Security, told SC Media. “CAPTCHAs are usually used on legitimate sites and it is so commonly used on popular sites that our biases tell us that any other site using this would also be legitimate – and therein lies the problem.”

“Users have undoubtedly become familiar with CAPTCHAs through the regular use of the web, so a CAPTCHA can preserve the illusion of normality when users click links offered to them in phishing emails,” agreed Eric Howes, principal lab researcher at KnowBe4.

And while CAPTCHAs are generally used to protect websites from brute-force attackers, Jonathan Tanner, senior security researcher at Barracuda Networks, said “it’s also possible that users create a further association [between] reCAPTCHA and security,” causing them to mistakenly assume the website must be safe to visit.

But how do the attackers manage to abuse CAPTCHA or reCAPTCHA technology in the first place? For some, the answer is straightforward: through Google itself.

“Gaining access to reCAPTCHA only really requires signing up for the service with Google and getting an API key,” said Tanner. “It’s possible that Google has already or will in the future scrutinize new accounts more thoroughly, but even with the increasing restrictions placed on the registration of Gmail accounts over the past few years, bad actors are still able to acquire accounts fairly easily. This would undoubtedly be the case with reCAPTCHA as well, especially since it’s unlikely Google wants to alienate smaller sites from the service. Bad actors could always put up legitimate-looking sites during the sign-up process, only to switch to phishing sites later, so even that level of account scrutiny could be bypassed.”

But that’s not the only option for criminals. Pidathala noted that a simple web search for “how to integrate CAPTCHAs with your website yields a lot of results,” adding, “There are many tools out there to easily integrate CAPTCHAs on websites.”

Howes suspects that malicious actors are likely taking advantage of free, open-source implementations of CAPTCHA, or even developing their own versions. “The same people, after all, are often pushing extremely sophisticated malware, so a CAPTCHA mechanism would not be beyond their capability,” he said. 

“We have encountered fake CAPTCHAs – that is, graphical elements in malicious landing pages that appear to be fully functional captchas but are in fact just for show,” Howes continued. “Users can input answers, but the answers aren’t checked/verified. The advantage of the fake CAPTCHA is that it preserves the illusion of legitimacy without actually stopping anyone from getting to the malicious goods.” After all, the more you have to make victims click around to get to their destination, the more likely they will abandon the site – and the bad guys don’t want that.

At least there are ways for users to spot a fraudulent CAPTCHA – and managers of security awareness programs may want to alert their trainees to look out for these signs.

Web pages that feature a CAPTCHA page on an otherwise blank background are somewhat suspicious, said experts. (Image from Menlo Security.)

For starters, the phishing website referenced in the Menlo Security article – which attempted to impersonate a Microsoft Office 365 page – should raise some red flags because the CAPTCHA page victims see is entirely blank except for the CAPTCHA test itself. “That would make me suspicious, as most legitimate organizations who use CAPTCHAs tend to include plenty of branded content on the same page,” said Howes.

Tanner agreed: “Legitimate uses of reCAPTCHA generally are part of a form or login page rather than being on an isolated page – because they are trying to protect that form or login page from abuse. [But] in the case of malicious reCAPTCHA use, the phishing site is what’s being protected from automated security scanning, and thus putting the challenge on the phishing page itself would defeat the purpose,” so the attackers place it on a separate page prior to the final landing page.

Technically, it is possible for a legitimate site to show a reCAPTCHA test on an otherwise blank page, said Tanner, but that’s mainly “when an API is what is being protected rather than a user-facing form. This is not something that most users clicking on phishing links would be particularly familiar with, however, so it is more of a fringe case.”

Howes also said that frequent users of a particular website that normally doesn’t use CAPTCHA should be wary if they click on a supposed link to that site and suddenly encounter a CAPTCHA test. “For example, as far as I know, it is not common for Microsoft to use CAPTCHAs in conjunction with its main login pages – at least not in my experience,” he said.

And of course, when users do click on a link in an email, they should check the URL in the address bar to make sure it authentically belongs to the company represented on the web page, said Pidathala.

Howes called the CAPTCHA technique a perfect example of why it’s important to “reinforce the human layer of security in organizations” by getting employees “up to speed on the latest social engineering tactics…” Indeed, some of the best defenses against such attacks are to recognize a phishing email in the first place, so the employee never gets to the stage of clicking a link and being taken to a phishing page.