I doubt many folks would claim to be fans of CAPTCHA – the puzzles that an internet site asks you to finish to prove if you’re a person’s being or not.
Unscrambling a distorted graphic to undertake to read the letters jumbled within, or select only the pictures containing a traffic night, are often an excessive amount of a challenge for a few folks to successfully complete on our first (and sometimes even our second and third) attempt.
But they are doing, of course, lend a hand keeps automated bots away – helping to stop them from creating bogus accounts or leave spammy messages on an internet site comment form.
And, in fairness, modern implementations like Google reCAPTCHA version 3 have changed the way that Google CAPTCHA systems work, often asking users just to click a box saying “I’m not a robot.” instead of detecting all the pictures with a bicycle.
But researchers at Barracuda say that they’re seeing cybercriminals deploying Google’s reCAPTCHA anti-bot tool in an attempt to avoid early detection of their malicious campaigns.
As the researchers explain, criminals are using reCAPTCHA walls to dam the content of their phishing pages from being scanned by URL scanning services.
In other words, the Google reCAPTCHA system doesn’t just block malicious bots – it also successfully prevents benign bots, like an automatic system that checks the security of URLs in an email before a feeble-minded human click on them.
In short, automated URL analysis systems cannot access the particular content of the phishing page, then they’re unable to use any of the knowledge contained upon it when assessing if a link is trustworthy to click on or not.
Furthermore, the researchers claim that humans may very well find the presence of a Google reCAPTCHA test reassuring, and as a consequence find the phishing site more believable.
Barracuda’s team point to a recent phishing campaign sent to over 128,000 email addresses as an example of the technique operational.
The phishing attack posed as a replacement voicemail notification, which encouraged recipients to open an attachment to concentrate on the voice message that they had missed.
The attached file was an HTML file that redirected users to a webpage containing nothing but a Google reCAPTCHA.Completing the reCAPTCHA resulted in users being redirected to a phishing page, which during this case alleged to be the real Microsoft login page – but designed to steal passwords.
Remember this – no security solution is probably going to be 100% effective, and therefore the presence of a Google reCAPTCHA doesn’t guarantee that what it’s protecting is often trusted.
Always exercise careful judgment about where you enter sensitive information, and think about using a password manager.
Good password managers still be a robust defense against phishing. A password manager won’t prompt you to enter your passwords on a website that it doesn’t recognize – meaning that albeit a phishing site seems like a real webpage, it’ll not offer to enter your credentials unless it recognizes the URL within the browser bar. Phishing prevention is one of the simplest reasons to run a password manager but often overlooked.