Man holding smartphone with login interfaces showing phishing URLs defeating email security

Hackers Use Google reCAPTCHA To Hide Phishing URLs and Defeat Email Security Scanners To Steal User Credentials

Avanan cybersecurity firm detailed a campaign exploiting Google’s reCAPTCHA service to bypass email security and redirect users to phishing URLs. Websites use CAPTCHA to ensure they are interacting with real humans and not robots.

According to the report, threat actors are sending emails with an HTML attachment which redirects the target to a Google CAPTCHA. While many organizations implement secure email gateways (SEGs) to protect users from phishing emails. these tools are stopped dead on their tracks by reCAPTCHA puzzles.

Since the automated security scanners cannot solve the CAPTCHA challenge and determine the destination URL, threat actors are using CAPTCHAs to conceal malicious content.

Attackers evade email security features by hiding phishing URLs behind Google CAPTCHA.

Avanan observed threat actors using legitimate domains and CAPTCHA forms to bypass secure email filters and get to users’ inboxes.

They send phishing emails with a non-password-protected PDF purporting to be a faxed document.

When a victim opens the document, it redirects them to a CAPTCHA page. After solving the puzzle, the page redirects the user to the actual phishing page resembling a Microsoft login screen. The phishing page then prompts the victim to enter their credentials, which end up in the attacker’s database.

The attackers exploit the trust most users have for Google’s reCAPTCHA service, in addition to the phishing emails originating from a legitimate site. In this case, the attackers used a compromised university website to send phishing emails.

By default, most email services detect and block phishing URLs embedded in emails. However, since reCAPTCHA forms connect to Google domains, email security tools fail to stop such attacks.

“Perhaps the most popular CAPTCHA is Google’s reCAPTCHA. Google is inherently trusted by most security scanners since you can’t just block Google. The reCAPTCHA service makes connections to IP addresses that belong to Google and are already in most allow lists.”

Additionally, the inability of email security tools to solve Google CAPTCHAs prevents them from determining the contents of the email.

The use of a password-protected document in addition to the use of a convincingly spoofed Microsoft OneDrive page adds to the illusion of security.

In this case, an automated email security scanner must extract the destination URL from a PDF document and solve the CAPTCHA. These conditions prevent email security scanners from detecting phishing URLs in attachments.

Similarly, most email services provide attachment previews allowing users to determine the contents of the email. However, the inability of automated email security features to solve the captcha and generate a preview forces users to download the attachment.

How to defend against phishing URLs bypassing email security

Avanan presented various techniques to avoid being lured to phishing URLs by malicious emails that bypass email security features.

The firm advised users to check the destination URLs before solving captcha puzzles to avoid unknowingly being redirected to phishing sites and falling for phishing attacks.

Additionally, senders should ask recipients if the attached PDF documents should have been password protected. The recipients should also ask the sender if they sent the faxed document from home or office because “if working from home, odds are that they did not fax it.”

Attackers exploit Google reCAPTCHA forms to sneak into users' inboxes because automated #emailsecurity scanners cannot solve CAPTCHAs to determine the destination #phishing URLs. #cybersecurity #respectdataClick to Tweet

These recommendations prove that user behavior is the first line of defense against phishing URLs concealed behind captchas. Human behavior remains cybersecurity’s Achille’s Heel, giving scammers an advantage over organizations’ security teams.