Cyber-criminals set up 3 different CAPTCHAs that Office 365 targets must click before the final phishing page.
Researchers are warning of an ongoing Office 365 credential-phishing attack that is targeting the hospitality industry & using visual CAPTCHAs to avoid detection & appear legitimate.
LinkedIn & Google
CAPTCHAs – commonly used by websites such as LinkedIn & Google are a type of challenge–response test used to find whether or not the user is human, such as clicking on the parts of a grid that have a specific object pictured.
Cyber-criminals have previously utilised CAPTCHAs as a way to defeat automated crawling systems, ensure that a human is interacting with the page, & make the phishing landing page appear legitimate.
Though the use of CAPTCHAS in phishing attacks is nothing ground-breaking, this attack shows that the technique works, so much so that the attackers in this campaign used 3 different CAPTCHA checks on targets, before finally bringing them to the phishing landing page, which poses as a Microsoft Office 365 log-in page.
“2 important things are happening here,” observed researchers with Menlo Security, in a post this week. “The 1st is that the user is made to think that this is a legitimate site, because their cognitive bias has trained them to believe that checks like these appear only on benign websites. The 2nd thing this strategy does is to defeat automated crawling systems attempting to identify phishing attacks.”
The multiple CAPTCHAs serve as back-ups, just in case the 1st one gets defeated by automated systems, commented researchers.
In the 1st CAPTCHA check, targets are asked to check a box that says “I’m not a robot.”
They are then taken to a 2nd CAPTCHA that asks them to select for instance all the picture tiles that match bicycles, followed by a 3rd CAPTCHA asking them to identify, say, all the pictures that match a Zebra Crossing.
Attackers also do not use the same CAPTCHAs – researchers said, during their testing they came across at least 4 different images utilised.
Finally, after passing all these checks, the target is taken to the last landing page, which impersonates an Office 365 log-in page, in an attempt to steal the victims’ credentials.
Cyber-criminals have relied on previous phishing attacks that use CAPTCHA systems to seem valid. A May phishing attack pretended to deliver subpoenas but actually was stealing user’s Office 365 credentials. In 2019, a phishing scam was found peddling malware, using a fake Google reCAPTCHA system to mask its malicious landing page.
Researchers commented that the attack shows that cyber-criminals continue to switch up their tactics when it comes to phishing and email based attacks.
Windows 7 upgrades
Just in the past week, researchers have warned of new phishing techniques such as using OAuth2 or other token-based authorisation methods, for instance, or phishing emails pretending to be Windows 7 upgrades.
“Phishing is the most prevalent attack vector affecting enterprises,” explained researchers.
“These attacks take advantage of our inherent cognitive biases and fool us into entering our credentials. That bias, combined with the tactics used by attackers, make these attacks v. successful.”