The CAPTCHA Phish

Posted by Geraldine Hunt on Wed, Aug 21st, 2019

Most people are familiar with the Google CAPTCHA images used to verify that the user submitting a form is not a bot. These systems stop automated queries and protect an application from spam. Because many users are familiar with Google CAPTCHA system, attackers use it in phishing attacks.

SMS Two-Factor Vulnerabilities

CAPTCHA phishing isn’t new. Attackers used it to trick users into installing malware disguised as an Adobe Flash update. The newest attack targets smartphones, especially Android users. A malicious APK is uploaded to a user’s Android device meant to intercept two-factor PIN codes sent to the user during authentication. This attack is the latest attempt from attackers at gaining access to user credentials even with additional multifactor procedures used to increase security.

Using SMS in two-factor authentication has recently been under fire as it has some security flaws. The SS7 protocol used to send SMS messages is an older system with interception exploits. With social engineering, attackers can trick a telecom representative into assigning a phone number to their own SIM card. This attack is called SIM hijacking, and it’s been used to empty bank accounts and steal millions in cryptocurrency. This latest attack uses a malicious APK to intercept PIN codes from a user’s smartphone.

With access to a user’s PIN code, an attacker with the user’s account and password can bypass the additional two-factor barrier. This bypass can give the attacker access to sensitive accounts such as banking, medical and work portals. It can also be the first step in gaining access to accounts that can give the attacker further private data.

Stealing SMS PIN Codes Using CAPTCHA Phishing

The latest CAPTCHA attack starts with a phishing email. The user is sent a link that points to an attacker-controlled page using the PHP language. The PHP page displays a fake Google reCAPTCHA with familiar images and controls. The images are static, so they do not change, and no sound is supported like the official reCAPTCHA. The user can click any image and submit it to the PHP page, and it launches the next step in the attack.

The request uses the user-agent provided by the browser to determine the type of file that will be uploaded to the user’s device. If the user-agent is Android, then the attacker sends a malicious APK file. Any other user-agent value retrieves a zip archive.

The uploaded APK is then used to intercept SMS PIN codes. With these PIN codes, an attacker has a much higher level of access than with sites that just use a username and password to authenticate. An attacker can even steal a user’s email address used to verify accounts and reset passwords, so they can obtain additional accounts after stealing the PIN code to reset the email’s password. For targeted attacks, corporate account details could be leaked that give the attacker access to infrastructure resources.

Protecting Users Against Phishing

The start of most CAPTCHA attacks is a phishing email. The attacker must be able to trick a user into opening a page that displays a fake reCAPTCHA control. The page can be a local PHP page that runs in a web host instance or on a remote attacker-controlled server. The reCAPTCHA usually contains legitimate images but sound controls don’t function, and no dynamic rotation happens when users choose the wrong image.

Organizations can start by offering documentation or training that help users identify phishing attacks. This first step has been proven to help reduce successful phishing attacks, but it isn’t enough. Administrators must put cybersecurity systems and detection programs in place to block attacks.

Content filters help with remote website access, but DNS-based filtering stops attacks when the browser performs a domain query. Users are unable to access the domain that hosts the malicious content, so users are blocked, and a notification is sent to the administrator. These notifications can help administrators identify when a targeted phishing attack could be focused on the organization.

Spoofing the Original Sender’s Email Address

Some phishing attacks spoof the original sender’s email address. Users click links from recognizable email senders but don’t know to check email headers for fraudulent messages. Domain-based Message Authentication, Reporting & Conformance (DMARC) is a newer technology that combines encryption and DNS entries to ensure that the sender is the official one. DMARC security quarantines suspicious emails so that an administrator can review them before sending them a user’s inbox.

All three of these cybersecurity initiatives should be put into place to avoid successful phishing attacks. Training helps users identify phishing messages, but DMARC and DNS-based filters protect them should they be unable to identify an attack.  

To learn how the DMARC and DKIM functionality works in SpamTitan,  contact us today or take a look at our technical SpamTitan anti-phishing information.