“When checking these against domain reputation databases we receive a false negative and the pages come back as safe.”
Hackers are using Captcha methods to bypass automated URL analysis, say security researchers at US-based Cofense, in just the latest creative move by cybercriminals to evade traditional malware detection methods.
The technique lets them fire phishing emails en masse in a manner that bypasses secure email gateways, e.g. that of Mimecast.
The move was identified by Cofense in a campaign in which it was essentially the second phase of a wider network compromise; once hackers obtained the login details of one employee’s account they then used this to amass as many credentials as they can by sending out emails to other employees.
These emails claim to contain a voip2mail voicemail from a colleague. The message itself is simple in design as seen below.
If someone clicks the link to hear the voice message they are then redirected to a website which immediately asks you to do a Captcha verification test. Upon passing this the user will be asked to select a Microsoft account and login. All data input into this login page is captured by the hacker.
The clever part of this hack is that the Captcha verification test is conducted on a different webpage: hitting the Captcha button is the redirect to the webpage containing the malware. This layering of a clean page on top of an infected login page is where normal security scans are bypassed.
Bypassing Secure Email Gateway
When a secure email gateway (SEG) scanned the website link contained in the voicemail it could only scan as far as the Captcha website, which got a clean bill of health. This effectively blocks the SEG from doing its job through the use of a layered webpage.
Cofense researchers noted: “Both the Captcha application page and the main phishing page are hosted on MSFT infrastructure. Both pages are legitimate Microsoft top level domains, so when checking these against domain reputation databases we receive a false negative and the pages come back as safe.”