How CAPTCHAs can cloak phishing URLs in emails

CAPTCHA puzzles, designed to distinguish people from computer code, are being used to separate people from their login credentials.

Security firm Avanan on Thursday published its latest analysis of a phishing technique that builds on the internet community's familiarity with CAPTCHA challenges to amplify the effectiveness of deceptions designed to capture sensitive data.

Many companies employ secure email gateways (SEGs) to filter messages to prevent bad stuff, such as suspicious executables in attachments and links to phishing sites, from reaching users. Avanan, which sells an AI-based service that competes with traditional SEGs, unsurprisingly doesn't think much of these gateways and says it has new evidence to support its claims.

CAPTCHA puzzles, such as Google's reCAPTCHA, can act as a roadblock for these scanners because the filters can't solve the puzzles. When you beat a CAPTCHA, your browser can be directed someplace else, usually whatever it is you actually want to visit. If a SEG can't crack the riddle, it can't find out where a user would be ultimately taken, and is unable to make a decision on whether to filter out the email. It could default to blocking everything involving a CAPTCHA, but then that might be too much of a pain for users.

Crucially, what Avanan found, and shared last year, is that miscreants have been deploying CAPTCHAs to conceal unsafe content from automated scans. If the scanner can't solve the puzzle, it potentially can't do its job properly.

For example, someone could get an email with an HTML attachment that when opened directs the user to a CAPTCHA, which if solved then eventually takes them to a phishing page that looks like a legit site's login screen but actually harvests any entered credentials. An automated scanner gets stopped at the puzzle.

As of February, Avanan researchers started seeing crooks using this technique used in conjunction with the compromised domain of a university as a way to capitalize on a trusted domain.

• Microsoft warns of widespread open redirection phishing attack – which Defender can block, coincidentally
• Cloudflare launches campaign to 'end the madness' of CAPTCHAs
• Who would cross the Bridge of Death? Answer me these questions three! Oh and you'll need two-factor authentication
• To CAPTCHA or not to CAPTCHA? Gartner analyst says OK — but don't be robotic about it

According to Jeremy Fuchs, a cybersecurity analyst at Avanan, victims received from the compromised university domain an email with an attached PDF file purporting to be a faxed document. The PDF, when opened, presents a URL – and instructions to visit the URL – that leads to a CAPTCHA form that shields the location of a phishing page. An automated scanner would need to get the URL out of the PDF, fetch it, and then solve the puzzle to get any further. It might even just trust the CAPTCHA URL.

Once the human victim solves the puzzle, they end up at a page that tries to trick the mark into entering their details supposedly for identity verification. Instead their information is sent off to fraudsters to exploit. The fact that a CAPTCHA is involved as some kind of security check may even convince some netizens that this really is a legit site. Attached documents could also be password protected, with the password in the message, to put another road block in the way of scanners; password-protected files may set them off, mind you.

"To the end-user, this doesn’t seem like phishing but more like a nuisance," explained Fuchs in research provided to The Register. "Given how often the average user fills out a CAPTCHA challenge, it’s not out of the ordinary. Neither are password-protected PDF documents."

For now, Avanan's advice is to tell people receiving these sorts of messages to supply the intelligence automated systems can't quite manage.

That means paying more attention to the URLs associated with CAPTCHA forms, making inquiries about whether attached PDFs should have been password-protected, and looking for potential red flags such as supposed faxed attachments that come from those known to be working at home (where fax machines are presumably as scarce as cassette tape players).

Good luck with that. ®