You’ve seen reCAPTCHA. It’s the image verification software that asks you to click on the cars or the crosswalks to verify you’re a human being and not a bot. It’s a service now owned by Google.
Seeing reCAPTCHA software on a website probably gives most people a sense of security. Afterall, the website is protecting itself from malicious activity with the software. And that’s exactly why hackers have started using reCAPTCHA to launch phishing attacks. Because it gets you to let your guard down.
According to an article on Help Net Security, “Cyber scammers are starting to use legitimate reCAPTCHA walls to disguise malicious content from email security systems. Sophisticated scammers are starting to use the Google-owned service to prevent automated URL analysis systems from accessing the actual content of phishing pages.”
This is a serious phishing threat. One of the most effective ways to stop phishing attacks is to first run the email through a URL analysis system to assess whether or not the URL leads to a phishing page. This reCAPTCHA tactic keeps that from happening.
Only after you solve the reCAPTCHA are you “redirected to the actual phishing page, which spoofs the appearance of a common Microsoft login page.” So, in effect, the reCAPTCHA acts to shield out the phishing protection software.
The article goes on to say “reCAPTCHA based scams make it harder for automated URL analysis to be conducted. Fortunately, there are a number of proactive measures employers and business owners can take to prevent a security breach. Most importantly, users must be educated about the threat so they know to be cautious instead of assuming a reCAPTCHA is a sign that a page is safe.”
For most phishing attacks, URL analysis software like that available from Phish Protection is perfectly fine. It does its job by scanning embedded links in real time to make sure they’re not malicious. And since Phish Protection sets up in 10 minutes and only costs pennies per employee per month, there’s no reason not to get it. But, when it comes to this new sophisticated reCAPTCHA phishing attack, the best possible defense is education. Consider yourself educated.