You can tell hackers are clever when they start to use the things you trust the most to exploit you.

If you spend any time on the internet then surely you have encountered reCAPTCHA. reCAPTCHA, a system designed to establish that a computer user is human, was developed by engineers as Carnegie Mellon University and later acquired by Google.

Today, reCAPTCHA uses image verification by asking users to click on specific checkboxes. The system then verifies whether the user is a human or not behind the scenes. And wouldn’t you know it, hackers are now using reCAPTCHA to phish victims.


According to an article on ThreatPost, the offending emails “asked victims for confirmation for a recent transaction, along with a link to a malicious PHP file. When the victims clicked on the link, the malicious PHP file would send them a fake 404 error page. The PHP code then loaded a fake Google reCAPTCHA using a combination of HTML elements and JavaScript. The fake reCAPTCHA looks real, and makes victims feel as though the landing page is legitimate.”

Protection from Phishing

Luke Leal, from website security firm Sucuri, says there were some ways to identify the reCAPTCHA as fraudulent. “This page does a decent job at replicating the look of Google’s reCAPTCHA, but since it relies on static elements, the images will always be the same unless the malicious PHP file’s coding is changed. It also doesn’t support audio replay, unlike the real version. On the surface, however, the replica is very convincing.”


Phishing attacks at their core are not about technology. They’re about social engineering. They’re about taking advantage of human tendencies. So, whether it’s trying to get you to wipe a hair off your screen, or using deceptive links or tricking you while you read the morning news, hackers will never stop exploiting human nature.


Preventing phishing by expecting humans to not be human is asking a lot. Phishing attacks may be about manipulating human behavior, but to stop phishing attacks one requires anti-phishing technology. Learn how PhishProtection’s Advanced Threat Defense can keep your humans from being phished.