The Completely Automated Public Turing test to tell Computers and Humans Apart, most commonly known as CAPTCHA, is a system for creating challenges that must be completed before users can advance on a website. According to IT system audit specialists, the main function of a CAPTCHA challenge is to prevent hackers from using automated bots to access certain content because, in theory, only a human being can solve one of these challenges.
This does not mean that a CAPTCHA is exempt from any security issue. A report from the security company Cofense reports on a new phishing campaign that, using CAPTCHA boxes, hides a fake Microsoft login page.
According to IT system audit experts, operators of this malicious campaign use CAPTCHA to prevent anti-malware analysis on a system from being performed correctly, so it will not be possible to check if a web page was made to extract visitors’ credentials.
Many companies use Secure Email Gateways (SEG) to scan their incoming emails for malware or indications of other attack variants. The point is that SEG is not sophisticated enough to solve a CAPTCHA and, as this is not a known attack variant, SEG vendors do not have adequate protection.
“SEGs cannot scan the malicious page, only the CAPTCHA code site, which does not contain malicious elements, so the SEG tags it as secure content and allows the user to advance,” the IT system audit experts mention. When the recipient of the email resolves the CAPTCHA challenge, they receive a fake Microsoft login page that will record the login credentials to their company accounts.
Specialists detected that the email address from which the phishing link is sent is an avis.ne.jp email account that has been hijacked by campaign operators. The message is intended to be a notification about a voice mail message; both the phishing page and the CAPTCHA used by the attackers are hosted on Microsoft cloud servers.
These kinds of attacks make it difficult for people or automatic scanners to detect that a page is not legitimate. SEG technology typically focuses on the reputation of the domain from which an email is sent; in this case, because the malware is hosted on a Microsoft cloud server, it is easy for attackers to bypass this protective measure.
Experts in IT system audit from the International Institute of Cyber Security (IICS) say they are concerned about the ability of threat actors to reverse techniques normally used against them to take advantage over their victims. In this case they have taken advantage of the use of CAPTCHA, but they have also been shown to be able to exploit HTTPS encryption, cryptographic signatures and other protective measures to interrupt anti-malware analysis.