Phishing Scheme Uses CAPTCHA on Fake Login Pages to Make Them Look Legitimate

Researchers with Menlo Security found a new phishing scheme that was using fake Captcha checks. The bad actors behind the credentials theft scam were primarily targeting businesses and organizations in the hospitality industry.

The scam in question was trying to pose as an MS Office 365 page. Menlo Security actually state that Microsoft is the most abused brand name in their experience with researching phishing scams. This is explained with the increased rate of adoption of Microsoft Office 365 in particular, which is becoming a centerpiece in the infrastructure of a lot of businesses across the globe. The end goal of the criminals is usually to phish out the Office 365 account credentials of a single user who falls for the bait and then latch onto the company's network and continue their attacks from within, acting as a legitimate user.

Series of Captcha Checks Try to Trick Victims

The series of anti-bot checks the phishing scheme uses opens with a simple "I am not a robot" checkbox prompt. The purpose of the Captcha element of the scam is twofold. On the one hand, it lends some credibility to the fake pages and tricks the user into believing they are interacting with a real, secure page. On the other hand, it hinders security bots crawling the web and makes sure that a human is interacting with the final form, which steals information.

The second Captcha check used by the scammers involved a identifying slices of an image that contain a specific object, similar to the sort of checks you see on a lot of legitimate websites. The task in the sliced image is to click on the pieces containing bikes. Once that is solved, a third Captcha step comes up, asking the user to identify all image slices containing a crosswalk in them.

The final step coming after the three bot checks is the actual phishing form, styled to look like an Office 365 login page.

There are a few significant issues with the scam, despite its attempt to look genuine. A more experienced user might wonder why Microsoft is making them jump through multiple hoops simply to reach the login page for a product. Another very significant issue is the URL - a quick glance at the address bar of your browser during any of the steps the scam takes you through and you would notice highly suspicious URLs. The final one attempts to mimic the real Microsoft Office 365 login page, but fails miserably for the most part.

This is another reason for anyone to be more aware and more careful when browsing any website. Developing the habit of checking the URL of every page you hit, even if you're completely sure it is the real deal, is a great idea that can save you a lot of trouble online.

October 7, 2020

Leave a Reply