Google reCAPTCHA used by Phishing Attackers


Thousands of phishing emails threaten Microsoft users to obtain their Office 365 credentials during an active attack. The attackers add to the campaign an air of authenticity by the use of a bogus Google reCAPTCHA scheme and top domain landing pages which include symbols of victims' organizations. Though more than 2,500 phishing emails connected with the campaign have been blocked by the organization. Security company Zscaler's Threat Analysis Unit, ThreatLabZ, has noticed that since December 2020 phishing is increasing, with mostly senior staff working in the banking industry being targeted. 

Google reCAPTCHA is a service that effectively prevents spam and misuse on websites by using a Turing test to separate human beings and bots (by asking the user to click on a fire hydrant out of a series of images, for instance). The campaign starts with an attacker sending phishing emails to targets, which tend to come from some kind of single contact system to simplify corporate communication. There is a malicious email attachment in the email. The victims are diverted to a .xyz phishing website, which is masked by the official Google reCAPTCHA page, to trick visitors when they open the embedded HTML file. This shows that an attacker has done his research which allows him to configure his landing pages to fit his victim's profile, also making the attack more credible. Phishing emails claim to be programmed emails from the unified communication resources of victimizations which say they have a voice message link. 

Following, checking the reCAPTCHA, the victims will be sent to a false Microsoft login page. When victims submit their username and password, they are encouraged to add credibility to the campaign by falsifying a message " validation successful." The researchers added that “Users are then shown a recording of a voicemail message that they can play, allowing threat actors to avoid suspicion.” 

"These attacks can be categorized as BEC [business email compromise] although the sender, in this case, involves the use of popular unified communication systems used by the organizations," Gayathri Anbalagan, the lead researcher on the Zscaler study points out. "We are not able to attribute this campaign to a specific threat actor but looking at the operational theme and the target profiles, it is likely to be a single coordinated campaign." 

“Similar phishing campaigns utilizing fake Google reCAPTCHA have been observed for several years, but this specific campaign targeting executives across specific industry verticals started in December 2020,” noted researchers. Phishing attackers have also acquired multiple approaches to make the scams look more credible, such as Google Translate or customized font.