Hackers Mimic Google reCAPTCHA For Banking Malware Attacks

Another phishing campaign has surfaced online targeting banks. The attackers allegedly impersonate Google reCAPTCHA to leverage their attack. The campaign involves tricking the users to click on malicious links.

Fake Google reCAPTCHA Used In A New Phishing Campaign

Researchers at Sucuri have come across another fatal banking malware campaign. The malware deployed with this campaign links back to a phishing attack on a Polish bank. The researchers have elaborated the details of their investigation in a blog post.

The recently discovered campaign starts off just like any other phishing attack. The users receive spam emails supposedly from their banks informing about unauthorized transactions. These emails contain links to malicious PHP files that the users should click to verify the transaction.

However, unlike other phishing attacks where the spam links redirect users to impersonated sites, the links used in this campaign take the users to a fake page showing 404 error. This page contains various specific user-agents limited to Google crawlers.

If the request comes from any search engine other than Google, then the fake Google reCAPTCHA loads to deploy the malware. The malicious PHP code detects the victim’s device via browser agents and downloads the appropriate malware to it. For Android devices, the code deploys malicious .apk file. For others, it deploys a malicious .zip file.

Once downloaded, the malware can then perform any malicious activities, including interference with 2FA.

How To Identify The Attack

Phishing campaigns can often be easy to detect, however the better ones may seem more difficult to detect. Nonetheless, there are always some means to spot them if users remain vigilant. The researchers have shared some traits of the fake Google reCAPTCHA page through which the users may identify phishing.

“This page does a decent job at replicating the look of Google’s reCAPTCHA, but since it relies on static elements, the images will always be the same unless the malicious PHP file’s coding is changed. It also doesn’t support audio replay, unlike the real version.”

The success of most phishing campaigns depends on the level of trust of the users. Therefore, one should remain extremely cautious while clicking on links shared in emails – particularly from untrusted sources.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients