Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Google Security

Google's reCAPTCHA Is Being Used To Hide Phishing Pages (infosecurity-magazine.com) 20

An anonymous reader quotes Infosecurity magazine: New research from Barracuda Networks has revealed that cyber-criminals are increasingly using official reCAPTCHA walls to disguise malicious content from email security systems and trick unsuspecting users... [S]ophisticated scammers are beginning to use the Google-owned service to prevent automated URL analysis systems from accessing the actual content of phishing pages, and to make phishing sites more believable in the eyes of the victim, Barracuda Networks warned.

In fact, the security solutions provider observed a single phishing campaign that sent out 128,000 emails to a variety of organizations and employees using reCAPTCHA walls to conceal fake Microsoft log-in pages. This campaign used the lure of a voicemail receipt to fool users into solving the reCAPTCHA wall before being redirected to the malicious page, with any log-in info entered then sent straight to the scammers.

This discussion has been archived. No new comments can be posted.

Google's reCAPTCHA Is Being Used To Hide Phishing Pages

Comments Filter:
  • by LenKagetsu ( 6196102 ) on Sunday May 03, 2020 @01:41PM (#60018272)

    The current day-0 exploit is and always will be the entity between the keyboard and the chair.

  • by Greyfox ( 87712 ) on Sunday May 03, 2020 @02:10PM (#60018328) Homepage Journal
    Today's Captcha: Click on the tiles that have your social security number in them!
    • Today's Captcha: Click on the tiles that have your social security number in them!

      Not a problem. When you do so, the Captcha will generally fail anyway.

  • by kenh ( 9056 ) on Sunday May 03, 2020 @03:42PM (#60018520) Homepage Journal

    New research from Barracuda Networks has revealed that cyber-criminals are increasingly using official reCAPTCHA walls to disguise malicious content from email security systems

    Isn't that exactly what a reCaptcha is for, to prevent automated systems from accessing protected resources?

  • Each reCAPTCHA user has a bunch of unique site-keys. Google's policies forbid misuse:
    https://policies.google.com/?hl=en However if a vigilant user one discovers a bad web site that is protected by reCAPTCHA and wants to report the misuse - there is no place this can be done. Official Google reCAPTCHA page
    https://www.google.com/recaptcha/intro/v3.html Dev oriented Google reCAPTCHA page
    https://developers.google.com/recaptcha/docs/faq
    None of them have an abuse form or contact.

    I found an obscure googl

news: gotcha

Working...