Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

Don't Just Catch a Phish, Captcha One

Stu Sjouwerman | Oct 1, 2020

CAPTCHA Phishing attackResearchers at Menlo Security have identified a phishing site that uses three layers of visual captchas to evade detection by automated security crawlers. Captchas are brief tests on websites that ask you to enter a word or select a series of images to prove you’re not a robot. Almost everyone has encountered these, since they’re usually used by legitimate sites to filter out malicious or unwanted traffic from bots.

In this case, however, the attackers are using captchas to prevent good bots (i.e., bots that are designed to hunt down phishing sites) from accessing the phishing page. The researchers also note that the captchas have the added benefit of lending credibility to the phishing page, since users associate these tests with legitimate sites.

“Two important things are happening here,” they write. “The first is that the user is made to think that this is a legitimate site, because their cognitive bias has trained them to believe that checks like these appear only on benign websites. The second thing this strategy does is to defeat automated crawling systems attempting to identify phishing attacks.”

When a user first accesses the phishing site, they’ll be presented with the familiar “I’m not a robot” reCAPTCHA checkbox. After clicking this box, the user will be asked to select the correct set of images to proceed (for example, images with bicycles, street signs, school buses, and so forth). The user will have to solve three of these tests before they’re allowed to access the phishing page, which is a convincingly spoofed version of an Office 365 login portal designed to steal their credentials.

“Microsoft happens to be the brand that is most phished across our customer base,” the researchers explain. “This is a result of the increased adoption of O365 by many enterprises and cyber criminals are looking to take over legitimate accounts and use them to launch additional attacks within the enterprise.”

Attackers are constantly adapting their techniques to stay ahead of improved security technology. New-school security awareness training can give your employees the knowledge they need to avoid falling for these attacks.

Menlo Security has the story.

Topics: Phishing

Discover Your Organization’s Phish-prone™ Percentage

Ninety-one percent of data breaches begin with spear phishing. Launch our Free Phishing Security Test for up to 100 users to uncover your team's vulnerability and see how your security posture stacks up against industry benchmarks.

Get Your Free Phishing Security Test

Secure the Digital Workforce: Human + AI

KnowBe4 empowers the modern workforce to make smarter security decisions every day. Trusted by more than 70,000 organizations worldwide, KnowBe4 is the pioneer of digital workforce security, securing both AI agents and humans. The KnowBe4 Platform provides attack simulation and training, collaboration security, and agent security powered by AIDA (Artificial Intelligence Defense Agents) and a proprietary Risk Score. The platform leverages 15 years of behavioral data to combat advanced threats including social engineering, prompt injection, and shadow AI. By securing humans and agents, KnowBe4 leads the industry in workforce trust and defense.

Stu Sjouwerman

ABOUT STU SJOUWERMAN

Stu Sjouwerman (pronounced “shower-man”) is the Founder and Executive Chairman of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

Read more from Stu »

Subscribe the KnowBe4 Blog

Posts By Topic

View All