Hackers spotted using CAPTCHAs to dodge email security scanners

A new phishing campaign has been discovered using CAPTCHA verification tests to bypass email security scanners.

CAPTCHAs are cognitive tests that websites present to ensure that they're interacting with humans rather than automated bots.

According to cyber security company Avanan, the new campaign is using a technique that the company itself demonstrated over a year ago to bypass secure email gateways.

Email scanners typically compare links in emails against a known list of malicious domains gathered from threat intelligence feeds and blacklists. Sending a CAPTCHA instead of a direct URL effectively masks the phishing link from automated checks, as it takes human interaction to solve.

Phishing emails using CAPTCHAs will attach them as HMTL files that look clean to a secure email gateway, Avanan said. Some email clients might even render the HTML file when displaying the message if they can't find anything dangerous about it.

If a victim opens the HTML file containing a CAPTCHA and solves it, the browser will then show them a phishing page asking them to enter their credentials.

Avanan has found attackers using this technique when sending emails from legitimate domains. In one case, the company said that a criminal used a compromised university domain to send an email containing a CAPTCHA.

Instead of embedding the test in an HTML file, the attacker uses a non-password-protected PDF purporting to be a faxed document. When opened, the PDF takes the user to a site with a CAPTCHA.

Upon solving the CAPTCHA, the phishing site presents the victim with a fake Microsoft authentication window asking for their login credentials.

Attackers typically use Google's reCAPTCHA service, which it provides free to developers. Because security scanning systems can't realistically block Google, the reCAPTCHA is sure to be delivered, Avanan explains. Using a spoofed Microsoft OneDrive site adds another layer of apparent legitimacy to the phishing attack, researchers added.

Avanan's best practices for avoiding the attack focus on user awareness rather than technical solutions.

Users should check URLs before filling out CAPTCHA forms, it said. They should also ask whether the PDF should have been password protected, and query the sender to find if they were in the office or working from home. "If working form home, odds are that they did not fax it," the company concluded.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download