In April 2021, Avanan researchers wrote about how hackers are using CAPTCHA forms–those annoying puzzles you have to fill out after entering data to prove you are human–to bypass filters. That particular attack took advantage of the trust that scanners have in Google’s reCAPTCHA product.
Now, starting in February 2022, Avanan researchers have found new ways that hackers are using CAPTCHA forms, in this case taking advantage of a compromised domain of a university, which lends legitimacy. In this attack brief, Avanan will analyze how threat actors are using CAPTCHAs to steal credentials.
In this attack, hackers are using CAPTCHA forms, sent from legitimate domains, to fool scanners and get into the inbox. Once the user accesses the content, the hackers ask for credentials to access a PDF.
- Vector: Email
- Type: Credential Harvesting
- Techniques: CAPTCHA Forms, Impersonation
- Target: Any end-user
In this attack, threat actors are using CAPTCHA forms to fool anti-phishing filters.
Email Example #1
The user receives a standard-looking email, purporting to be a faxed document. The document is attached as a PDF.
Email Example #2
The PDF then goes to a site with a CAPTCHA form. Notice the URL. “Outlook” is spelled wrong, and “Storage” has a zero instead of an ‘o’.
Email Example #3
From there, you’ll be directed to enter your email address and then your password to access the PDF. Those credentials are then being stolen by hackers.
In this attack, hackers are using CAPTCHA forms to bypass scanners.
Perhaps the most popular CAPTCHA is Google’s reCAPTCHA. Google is inherently trusted by most security scanners, since you can’t just block Google. The reCAPTCHA service makes connections to IP addresses that belong to Google and are already in most allow lists.
One of the main tasks of reCAPTCHA challenges–those annoying image games you have to play before proceeding to a site– is to make content inaccessible to crawlers and scanners that do not pass the verification process; therefore, the malicious nature of the target websites will not be apparent until the CAPTCHA challenge is solved. Further, because the content of this attachment is a seemingly harmless reCAPTCHA, and the mail client will not be able to solve the CAPTCHA, the email client will have no way of determining the safety of the actual attachment’s content. Adding to the challenge for scanners is that the email is being sent from a legitimate domain, in this case, a compromised university site.
To the end-user, this doesn’t seem like phishing but more like a nuisance. Given how often the average user fills out a CAPTCHA challenge, it’s not out of the ordinary. Neither are password-protected PDF documents. Plus, the PDF is hosted on a convincingly-spoofed OneDrive page, adding another veneer of legitimacy.
By providing end-users with innocent enough content, and scanners with enough to be fooled, this is an effective attack for hackers to pull off.
Best Practices: Guidance and Recommendations
To guard against these attacks, security professionals can do the following:
- Encourage end-users to check URLs before filling out CAPTCHA forms
- Ask recipients if the PDF should have been password protected
- With a faxed document, ask the sender if they were in the office or working from home. If working from home, odds are that they did not fax it.