Republic of the Philippines
National Police Commission
PHILIPPINE NATIONAL POLICE
Camp BGen Rafael T Crame, Quezon City
ACG-CYBER SECURITY BULLETIN NR 188: Beware of Phishing Campaigns Using reCAPTCHA Walls
Reference Number ACG-CSB 052720188
The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.
reCAPTCHA is a free service from Google that helps protect websites from spam and abuse. A “CAPTCHA” is a turing test to tell human and bots apart. It is easy for humans to solve, but hard for “bots” and other malicious software to figure out. Instead of depending upon the traditional distorted word test, Google's “reCaptcha” examines cues every user unwittingly provides IP addresses and cookies provide evidence that the user is the same friendly human Google remembers from elsewhere on the Web.
reCAPTCHA walls are typically used to verify and differentiate between human users and bots. Once the human intervention is verified only then access to web content is allowed. It is also commonly used as one of the Multi-Factor Authentication (MFA) techniques, which helps legitimate companies restrict bots from scraping and hijacking their content.
As the world continues to grapple with the new coronavirus, COVID-19, and how to handle it, cyber criminals are taking advantage of the widespread discussion of COVID-19, using reCAPTCHA walls to lure unsuspecting users.
Cashing in on intense public concern around COVID-19, as well as increased reliance on the Internet with millions of netizens now working from home, cybercriminals are using a variety of coronavirus themed phishing campaigns to distribute malware, steal credentials, and scam users out of money.
Phishing campaigns are quickly becoming more sophisticated, with many now using reCAPTCHA walls to block URL scanning services from accessing the content of phishing pages. The reCAPTCHA walls prevent email security systems from blocking phishing attacks and make the phishing site more believable in the eyes of the user.
Typically, reCAPTCHA walls are used to verify users before allowing access to web content. Scammers have begun using the Google-owned service to prevent automated URL analysis systems from accessing the actual content of phishing pages.
Recaptcha walls are commonly used by legitimate companies to deter bots from scraping content. Considering that the end-users are familiar with being asked to solve a reCaptcha and prove they are not a robot, malicious use of a real reCaptcha wall also lends more credibility to the phishing site, making users more likely to be tricked.
Phishing emails contain an HTML attachment that redirects to a page with just a reCaptcha wall. Once the user solves the reCaptcha in this campaign, they are redirected to the actual phishing page, which spoofs the appearance of a common Microsoft login page.
While some campaigns simply spoof the reCaptcha box and contain just a checkbox and a form, the use of the actual reCaptcha API is becoming increasingly common. This approach is more effective in deterring automated scanners because a fake reCaptcha box could easily be programmatically bypassed by simply submitting the form.
Users should exercise scrutiny by checking for suspicious senders, URLs, and attachments. This can help them in spotting the attack before they get to the reCaptcha.
All PNP personnel as well as the public are advised to follow the tips in order to be aware of the new phishing campaigns using reCAPTCHA Wall:
• Always exercise careful judgement about where you enter sensitive information, and consider using a password manager;
• Update all of passwords;
• Keep your apps up to date; and
• Do not blindly trust any website as genuine just because it is using the reCaptcha-based user validation.
For additional information, please refer to the following websites:
POINT OF CONTACT