Captcha, the acronym for Completely Automated Public Turing test to tell Computers and Humans Apart, is supposed to weed out automated systems accessing a website. Now, cyber-criminals have started using Captcha as a method to bypass automated URL analysis, said security researchers at Cofense.
The new technique prevents the secure email gateway (SEG), in this case Mimecast’s gateway, from scanning the URL, thereby enabling the threat to get through, researchers said in a blog post.
Victims receive a phishing email from a compromised account at @avis.ne.jp in the guise of a legitimate one from voip2mail service. The email alerts the recipient to a new voicemail message. The message is crafted in a simple format, with a preview of the voicemail to entice the recipient to click on the button to listen to the full message.
"This button is in fact an embedded hyperlink that will redirect the recipient to a page that contains a Captcha code to prove the victim is a human and not an automated analysis tool or, as Google puts it, ‘a robot’," wrote Cofense threat analyst Fabio Rodrigues in the blog post.
"It’s at this point that the SEG validation would fail. The SEG cannot proceed to and scan the malicious page, only the Captcha code site. This webpage doesn’t contain any malicious items, thus leading the SEG to mark it as safe and allow the user through."
Once the verification process is complete, this brings up a phishing page pretending to be a Microsoft account selector and login page. Logging into this gives criminals the victim’s credentials.
Both the Captcha application page and the main phishing page are hosted on MSFT infrastructure, wrote Rodrigues.
"Both pages are legitimate Microsoft top level domains, so when checking these against domain reputation databases we receive a false negative and the pages come back as safe."
This attack shows that when it comes to phishing, technical controls alone are usually not enough and criminals will find a way to bypass them, Javvad Malik, security awareness advocate at KnowBe4, told SC Media UK.
"Therefore, no matter what controls are in place, it's important to provide security awareness and training to users so that they can spot and report any suspicious emails," he said.
Agrees Chris Miller, regional director - UK & Ireland at RSA. Processes and employee education is the best way to tackle the issue, he told SC Media UK.
"Less than one in ten organisations continuously train employees on how to recognise a cyber-attack, with security training typically delivered just once as part of the onboarding process. That is not enough."
Employees must be educated and updated on the security threats risks they will face in their job if they are to effectively recognise them and take the steps to manage digital risks effectively, he said.
"It is important to educate and empower users on how they can become a shield, or ‘human firewall’ for their business. Every member of an organisation should understand what digital risks they face and how they can do their part to defend against them; an informed workforce can be the defence line between security and risk."