Cyberattackers are using Google’s reCAPTCHA and fake CAPTCHA-like services to make various phishing sites and other malicious sites look legitimate.
CAPTCHAs are familiar to most people as the challenges that are used to confirm that they’re human. The simple puzzles usually involve clicking all photos in a grid that contain a certain object, or typing in a word presented as blurred or distorted text. The idea is to stop bots on eCommerce and online account sites, and they serve the same purpose for attackers.

Survey and lottery scams are some of the most common pages being used by attackers, In exchange for a fake payment or chance at winning the lottery, the user is lured into disclosing sensitive information, including address, date of birth, banking information, etc. these websites get traffic via phishing emails that are sent out to millions of people daily. This might seem strange but the more emails they have out, the more chance the attackers have of a successful attack, they also only need a few successes to make it a profitable attack as it costs next to nothing to run and maintain.

Often, these pages show CAPTCHA challenges only if they suspect automation based on certain unique identifiers and browser versions, to make it as easy as possible for potential victims. The good news is that it’s possible to detect phishing pages through the association of CAPTCHA API keys as a lot of these malicious websites re-use their API keys on multiple websites.

As phishing evolves and gets more sophisticated, it is important you stay up to date with the latest trends and techniques as well as always stay vigilant. We recommend you never click on links within emails unless you are 100% certain that it is legitimate. If you are unsure, reach out to the sender via a phone call and confirm they sent the email.
Follow Cyber Wise on Twitter @cyber-wise and visit our website to see what we could do to help make your business safer.