Attackers Use Fake reCAPTCHAs to Trick Corporate Executives

I am sure that at some point in your cyber life, you have failed to prove you were a human. You have failed the CAPTCHA or reCAPTCHA test. Can’t you identify a bicycle when you see one? Can’t you read the letters in a twisted word? Humans can do that so you must be a robot.

I’m willing to bet that few people reading this know what CAPTCHA means; so here it is, “Completely Automated Public Turing test to tell Computers and Humans Apart”. Now that I’ve made your day, what’s the difference between CAPTCHA and reCAPTCHA? CAPTCHAs involve problem solving such as solving math problems, deciphering words, or selecting the correct images. Google created the reCAPTCHA idea. This is simply a box that you’ve all seen.

But can’t a bot click the box? Sure, but they don’t do it in the same way that humans do. They would look at the code and click the box directly. Humans would move a mouse or their finger around first and may not click directly on the center of the box. The reCAPTCHA algorithm can determine where the mouse/finger goes and where the box is clicked and will determine whether this is a human or a bot. In fact, the reCAPTCHA has evolved into an invisible reCAPTCHA. An algorithm maps your interaction with a web page to determine if your interaction is more like a human or a robot. If your interactions appear robotic, you’ll be made to perform some regular CAPTCHA test, like choosing correct images. You may need to do this several times before your humanity is verified.

It’s bad enough that these CAPTCHAs can get in the way of your browsing, but now, they have become weaponized, or at least reCAPTCHAs have. According to cybersecurity firm, Zscaler, threat actors are using reCAPTCHAs to leverage their attacks on corporate executives. They appear to be looking for a way to get the login credentials of employees who have priority access within the corporate network. Though the researchers could not attribute these attacks to any specific group, with such goals in mind, we are probably looking at nation-state actors or at least high-level hacking groups with government connections. On the other hand, they are primarily targeting banking and IT sectors, so it’s possible financial goals are behind the attack as well, and, this being the case, unaffiliated hacking groups may be working this angle.

Through any one of a number of communication channels (emails, messaging etc.), the potential victim receives a message with a voice mail attachment. Clicking on the attachment takes the victim to a fake reCAPTCHA page. This may distract the victim or give them confidence in the page they are being directed to. (It must be legitimate because it’s asking me to prove I’m a human, right?) The page the target is directed to is actually a fake Microsoft login screen which, when the victim logs in, will allow the criminals to steal their credentials and, of course, give them access to the corporate network. It’s not that criminals haven’t tried to use fake reCAPTCHA screens before, it’s that they are now targeting corporate executives that is important and dangerous.

This new attack vector is disturbingly similar to a successful whaling campaign back in 2019. Whaling is the name given to an attack that targets key company executives (big fish). In the 2019 campaign, criminals sent executives messages such as the following. Notice the voicemail attachment.

The web address given is, in fact, a real address that is connected to a site that executives could reasonably use. This company may have been targeted. So if you know this firm, you might want to give them a heads up.

Here is another company I found them using.

In this campaign, the victim was sent to a fake Microsoft login page (see the URL).

The victim had to login to hear the sound file. So far, this is a pretty much normal phishing campaign. The interesting aspect of this attack, however, is that it, like the new reCAPTCHA attack, uses a voicemail file to seal the deal. In this case, when the victim logs in, they will actually hear a sound file. Here is one that BleepingComputer released.

The sound file is used to give credibility to the scam. The victim got the sound file but it appeared to be some sort of wrong number and, in this case, the message would probably be dismissed. They may, therefore, not question the validity of the login page they just used. Just like the reCAPTCHA used in the recent attacks, the sound file made it appear as if everything was legitimate and the login was considered as normal.

But this new reCAPTCHA attack takes obfuscation a step further; a step I think leads to this being a very dangerous attack. The criminals have apparently purchased legitimate looking domain names with somewhat unusual extensions. Here is one that I edited from Escaler.

And, after logging in, the victim is, just like in the 2019 campaign, taken to a voicemail file that they can listen to. When I investigated one of the fake reCAPTCHA pages, I could never sign in with only the reCAPTCHA box checked. I would always be directed to a choose-the-correct-image CAPTCHA. But, since I was using an email address that they had already stolen the credentials for, I was either sent to or the real Microsoft Office login page. The extensions to be wary of are ‘.xyz’, ‘.club’, and ‘.online’.

The researchers give the following graphics to show which enterprises and which executives were being targeted.

So, to put it simply, if you are a vice president or managing director and are working in either banking or IT, be very wary of any emails with any attachments, especially those that lead to a site with a reCAPTHA. If you finally make it to a login page, look closely at the URL, especially, the extension. This is a well-designed attack that is destined to produce a lot of victims. Try not  to be one of them.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s