Davey Winder
Senior Contributor FORBES

May 4, 2020

The use of cloning is something that cybercriminals have long exploited with often remarkably good results. Just recently, there have been reports of cloned Microsoft Teams login pages being used to harvest video chat passwords, and fake but realistic U.S. stimulus payment communications, for example. But it's not just the intended victim that hackers want to fool, it's also the cybersecurity tools that can catch them red-handed playing their game of thieves. Researchers from security vendor Barracuda have recently noticed one threat campaign doing just this, not with a clone but by employing a legitimate Google tool in the most illegitimate way.

How Cybercrime is employing Google as an unwitting accomplice

It is not unusual, it has to be said, for cybercriminals to make use of fake or cloned captcha walls to add some validity to the credential-stealing site behind. It's a tactic designed to fool the victim into thinking it must be the real service login page if it's employing such security measures to keep the hacking bots out. It is just one way that attackers have continued to step up to the challenge of fooling an increasingly, if slowly so, cyber-aware public. Another, and the one that those researchers at Barracuda have found evidence of, is the use of real captcha walls, specifically the Google-owned reCaptcha tool.

Although designed primarily to prevent automated content-scraper bots from being able to access sites, reCaptcha can also be used maliciously by cybercriminals, the Barracuda researchers say. The fact that we are all so used to having to pick which squares contain an image of a bus, traffic light of pedestrian crossing, makes reCaptcha an accessing online services norm. Step one of the hacker intent achieved; it imparts that feeling of site validity the attackers want. However, it seems the reason that those who would steal your credentials have turned to using the real reCaptcha rather than a mocked-up clone, is that it makes it difficult for automated link analysis systems to access the content as well as the content-scraping bots. Step two also achieved; a better chance of not being detected in the act.

128,000 real deals against just one fake

It would appear that the tactic is becoming more popular with the credential-stealing gangs employing email phishing campaigns to start things off. The use of a genuine reCaptcha API, the Barracuda researchers said, "is undoubtedly more effective in deterring automated scanners because a fake reCaptcha box could easily be programmatically bypassed by simply submitting the form." Indeed, across the sample that was analyzed by the researchers, only one used a fake reCaptcha input box, while 128,000 used the genuine article. Multiple email credential phishing campaigns have been spotted using this tactic, the researchers said, with counterfeit Microsoft login screens being a favorite target it seems. The email has an HTML attachment that redirects the recipient to the reCaptcha screen, and once that "are you a human" hurdle is cleared, they are presented with a cloned login page.

To mitigate the risk from this kind of attack, Barracuda said users need to be better educated to the fact that reCaptcha doesn't automatically mean the page behind the image grid is a safe one. Caution should always be exercised, they said, but especially if a reCaptcha grid pops up before a login where you've not had to pass one before. The usual advice to spot phishing emails also applies, beware of suspicious senders and unexpected attachments, and take care to check the URL that any such emails are sending you towards. As I reported recently, the use of homoglyphs allowed attackers to make a URL look almost identical at first glance and often second, to the valid domain address. Finally, Barracuda has some reassurance in that the email itself will still be a phishing email, and that means it "may be detected by email protection solutions."