Researchers are warning of an ongoing Office 365 credential-phishing attack that’s targeting the hospitality industry – and using visual CAPTCHAs to avoid detection and appear legitimate.
CAPTCHAs – commonly utilized by websites like LinkedIn and Google – are a type of challenge–response test used to determine whether or not the user is human, such as clicking on the parts of a grid that have a specific object pictured. Cybercriminals have previously utilized CAPTCHAs as a way to defeat automated crawling systems, ensure that a human is interacting with the page and make the phishing landing page appear legitimate.
Though the use of CAPTCHAS in phishing attacks is nothing groundbreaking, this attack shows that the technique works – so much so that the attackers in this campaign used three different CAPTCHA checks on targets, before finally bringing them to the phishing landing page, which poses as a Microsoft Office 365 log-in page.
“Two important things are happening here,” said researchers with Menlo Security, in a post this week. “The first is that the user is made to think that this is a legitimate site, because their cognitive bias has trained them to believe that checks like these appear only on benign websites. The second thing this strategy does is to defeat automated crawling systems attempting to identify phishing attacks.”
One of the CAPTCHAs presented during the attack. Credit: Menlo Security
The multiple CAPTCHAs serve as backups, in case the first one gets defeated by automated systems, said researchers.
In the first CAPTCHA check, targets are simply asked to check a box that says “I’m not a robot.”
After that, they are then taken to a second CAPTCHA that requires them to select for instance all the picture tiles that match bicycles, followed by a third CAPTCHA asking them to identify, say, all the pictures that match a crosswalk. Attackers also do not use the same CAPTCHAs – researchers said, during their testing they came across at least four different images utilized.
Finally, after passing all these checks, the target is taken to the final landing page, which impersonates an Office 365 log-in page, in an attempt to steal the victims’ credentials.
The Office 365 phishing landing page. Credit: Menlo Security
As mentioned above, cybercriminals have relied on previous phishing attacks that leverage CAPTCHA systems to appear legitimate. For instance, a May phishing attack pretended to deliver subpoenas but actually was stealing user’s Office 365 credentials. And, in 2019, a phishing scam was found peddling malware, using a fake Google reCAPTCHA system to mask its malicious landing page.
Researchers said, the attack shows that cybercriminals continue to switch up their tactics when it comes to phishing and email based attacks. Indeed, just in the past week, researchers have warned of innovative phishing techniques such leveraging OAuth2 or other token-based authorization methods, for instance, or phishing emails pretending to be Windows 7 upgrades.
“Phishing is the most prevalent attack vector affecting enterprises,” said researchers. “These attacks take advantage of our inherent cognitive biases and fool us into entering our credentials. That bias, combined with the tactics used by attackers, make these attacks very successful.”
Threatpost has reached out to Menlo Security for further details of the attack’s victimology, as well as the lures to watch out for in the initial phishing emails.
On October 14 at 2 PM ET get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.