Several cybersecurity experts have reported an increase in phishing attacks using Google’s reCAPTCHA feature to hide malware and escape security detections. A research team from Zscaler recently discovered a series of Microsoft-themed phishing attacks targeted at high-ranked employees in multiple organizations globally. Zscaler stated that it prevented over 2,500 such phishing attempts over the last three months.
“The attack is notable for its targeted aim at senior business leaders with titles such as Vice President and Managing Director who are likely to have a higher degree of access to sensitive company data. These campaigns aim to steal these victims’ login credentials to allow threat actors access to valuable company assets,” Zscaler said.
Scammers have been spreading their phishing campaigns across multiple industries, especially in the banking and IT sectors. While it is still unknown who is are behind these attacks, Zscaler stated that the phishing campaigns have been active since December 2020.
Purpose of reCAPTCHA
reCAPTCHA walls are typically used to verify and differentiate between human users and bots. Once the human intervention is verified, only then access to web content is allowed. It is also commonly used as one of the multi-factor authentication (MFA) techniques, which helps legitimate companies restrict bots from scraping and hijacking their content.
Exploiting Google reCAPTCHA
- The campaign begins with cybercriminals sending phishing emails that appear as automated emails from their unified communications tools indicating that they have a voicemail attachment.
- The phishing pages are hosted by using .xyz, .club, and .online generic Top Level Domains (TLDs).
- When a user opens/clicks the attachment, it redirects the victims to a fake Google reCAPTCHA screen.
- After verifying the reCAPTCHA, the page takes the user to a fake Microsoft login screen, allowing threat actors to steal victims’ login credentials.
- After entering the login credentials, the campaign prompts a fake message saying, “Validation successful” and then shows a recording of a voicemail message to play, adding legitimacy to the phishing campaign.
“Similar phishing campaigns utilizing fake Google reCAPTCHAs have been observed for several years, but this specific campaign targeting executives across specific industry verticals started in December 2020,” Zscaler added.
