
CAPTCHA used to help phishing websites
Fraudsters are using CAPTCHA tool to stop scanning services from discovering they are phishing websites.
You know CAPTCHA? It can be asking you to write letters and numbers on image, select particular images or just simply click ‘I’m not a robot’ box. CAPTCHA is used to keep bogus, automatic accounts from accessing websites, leaving comments, etc. therefore protecting other users and blocking a lot of SPAM.
But recently researchers at Barracuda say they have noticed cybercriminals using the Google reCAPTCHA tool to hide their malicious websites.
How does it work?
Every second the Internet is scanned by URL scanning services. These services check the links, access the websites and test them to see if there is anything malicious on them. Of course, it’s an automated process, meaning these services are bots too. So by putting CAPTCHA on a phishing website it blocks scanning bots from actually accessing the website and determining if the link is safe or not.
Moreover, many people link a CAPTCHA tool on a website to it being more secure and legitimate, which is of course wrong.
One case that the researchers discovered is a phishing campaign trying to get login credentials for Microsoft. In mail there was an attachment with a link to the website containing the CAPTCHA. This way the scanning device is stopped on this step and cannot determine if a website is safe or not. After checking the ‘I’m not a robot’ box the user is transferred to a fake Microsoft login account and his credentials may be stolen.
Remember to:
- always check the message if it’s suspicious,
- don’t think of CAPTCHA as a safety measure,
- use password manager – it can easily spot a fake website from real and will not autofill login and password. It’s a great detection tool.