Cyberattackers are using Google’s reCAPTCHA (aka the “I am not a robot” function) and
fake CAPTCHA-like services to obscure various phishing and other campaigns, according to researchers. There are signs however that those evasion efforts may be losing their efficacy.
CAPTCHAs are familiar to most internet users as the challenges that are used to confirm that they’re human. The Turing test-ish puzzles usually involve clicking all photos in a grid that contain a certain object, or typing in a word presented as blurred or distorted text.
The idea is to weed out bots on eCommerce and online account sites – and they serve the same purpose for crooks.
“Hiding phishing content behind CAPTCHAs prevents security crawlers from detecting malicious content and adds a legitimate look to phishing login pages,” according to a
Friday writeup from Palo Alto Networks’ Unit 42.
Though it’s far from new, it’s an increasingly popular technique: Just in the last month, the firm found 7,572 unique malicious URLs over 4,088 pay-level domains employing the obfuscation method. That’s an average of 529 new CAPTCHA-protected malicious URLs per day.
threatpost.com
