Researchers have found a new phishing campaign that exploits CAPTCHAs to execute phishing attacks while evading security filters.
While exploiting CAPTCHAs is nothing new, researchers have recently found a new phishing campaign that exploits them uniquely. As observed, the threat actors behind the campaign abuse CAPTCHAs to bypass email security filters and steal credentials.
Explaining the attack in their post, researchers from Avanan explained that the attack begins with a phishing email, with a malicious PDF attachment. Clicking on this document redirects the victim to a new site with a CAPTCHA form. At this point, the phishing web page asks the victim to submit login credentials to proceed. This web page often mimics legit services, such as Outlook, tricking the user into submitting the details.
The researchers explained that the use of CAPTCHAs in this campaign is to evade email filters. As stated,
Because the content of this attachment is a seemingly harmless reCAPTCHA, and the mail client will not be able to solve the CAPTCHA, the email client will have no way of determining the safety of the actual attachment’s content.
Then, to further include legitimacy to the attack and ensure security filters’ evasion, the attackers also abuse legit domains. For instance, the campaign that caught Avanan’s attention exploited a compromised university site.
Adding to the challenge for scanners is that the email is being sent from a legitimate domain, in this case, a compromised university site.
Whereas the other element further increasing the campaign’s legitimacy is the use of PDFs.
Plus, the PDF is hosted on a convincingly-spoofed OneDrive page, adding another veneer of legitimacy.
Researchers advise users to be wary of phishing emails by thoroughly checking URLs before filling CAPTCHAs and contacting the real vendors of the documents to ensure legitimacy.