Threat actors abused Google’s product to bypass security filters leading to data theft.
While CAPTCHA forms, little puzzles websites ask you to fill out to prove you are human, can be tedious, they serve a serious purpose: protecting against bots.
However, a recent report by Avanan shows that threat actors abused Google’s reCAPTCHA product to steal victims’ credentials.
Scammers used CAPTCHA forms sent from legitimate domains to fool scanners and get their hands on victims’ inboxes. Once there, threat actors ask the target to enter credentials to open a PDF.
In the attacks Avanan’s researchers have discovered, scammers used CAPTCHA forms to bypass scanners that would usually block any suspicious incoming emails.
Criminals used Google’s reCAPTCHA because most security scanners trust the form. The service makes connections to IPs that belong to Google. Such IP addresses are in most ‘allow lists.’
The malicious emails were sent from a legitimate domain, meaning that default scanners did not have a problem with letting them through. Since the malicious content was behind a CAPTCHA form, there was no way to block the email from getting to the inbox either.
“Because the content of this attachment is a seemingly harmless reCAPTCHA, and the mail client will not be able to solve the CAPTCHA, the email client will have no way of determining the safety of the actual attachment’s content,” Jeremy Fuchs, a security researcher at Avanan wrote.
The end-user might easily fall for the trick. Since the scammers used a legitimate domain address of an educational institution and used CAPTCHA form, the email did hide under a veneer of legitimacy.
The key giveaway of the true nature of the email was visible once victims completed the CAPTCHA form and were redirected to a website.There they were prompted to enter their credentials to open a password-protected PDF attached to the letter.
Even though the website posed as an Outlook-related website, the link had grammatical errors and zeros where numbers should be, a common tactic used by cybercriminals.
To avoid succumbing to such attacks, Fuchs recommends always checking URLs and asking the sender why the document was sent and password-protected.
More from Cybernews:
Subscribe to our newsletter