Google's reCAPTCHA Is Being Used To Hide Phishing Pages (infosecurity-magazine.com) 20
An anonymous reader quotes Infosecurity magazine:
New research from Barracuda Networks has revealed that cyber-criminals are increasingly using official reCAPTCHA walls to disguise malicious content from email security systems and trick unsuspecting users... [S]ophisticated scammers are beginning to use the Google-owned service to prevent automated URL analysis systems from accessing the actual content of phishing pages, and to make phishing sites more believable in the eyes of the victim, Barracuda Networks warned.
In fact, the security solutions provider observed a single phishing campaign that sent out 128,000 emails to a variety of organizations and employees using reCAPTCHA walls to conceal fake Microsoft log-in pages. This campaign used the lure of a voicemail receipt to fool users into solving the reCAPTCHA wall before being redirected to the malicious page, with any log-in info entered then sent straight to the scammers.
In fact, the security solutions provider observed a single phishing campaign that sent out 128,000 emails to a variety of organizations and employees using reCAPTCHA walls to conceal fake Microsoft log-in pages. This campaign used the lure of a voicemail receipt to fool users into solving the reCAPTCHA wall before being redirected to the malicious page, with any log-in info entered then sent straight to the scammers.
Remember. (Score:3)
The current day-0 exploit is and always will be the entity between the keyboard and the chair.
Today's Captcha (Score:4, Funny)
Re: (Score:2)
Today's Captcha: Click on the tiles that have your social security number in them!
Not a problem. When you do so, the Captcha will generally fail anyway.
Re: (Score:3)
That reCAPTCHA scam is a two-bit computer crime. The real computer criminals run the provider of reCAPTCHAs - and they do it legally too.
Re: (Score:2)
Google should be forced to pay website owners who use their captcha. Think about how many posts get made on 4chan in a day, and realize how many of those had a captcha before them.
Re: (Score:2)
The ultimate click-bait - "Click on the images that look like advertisements."
Re: (Score:3)
Re: (Score:2)
You are de-facto threatened into it because of spammers. If you set up a site that has no captcha or defenses at all, it will be spammed to shit.
Re: (Score:2)
Why? No one is forced to use a captcha at all, let alone the one that Google provides.
Yes you do. If Google detects that you're running a VPN, it requires a Captcha for each search operation. I'm supposing this must be their way of discouraging the use of metrics-foiling VPNs.
Re:Computer crime is so easy! (Score:4, Informative)
1) rent cheapest room you can find or have somebody rent a room for you anywhere on the planet.
2) subscribe to Internet services
3) setup dyndns on the router
4) vpn through it
In the end, dumbly enough, Google simply force captcha for IP addresses categorized as server IPs, not residential IPs. They have no way to tell that you are using a VPN.
I have multiple hosted servers and I can only VPN through one of them without getting captcha since there is a mistake in the whois database for that IP and of course, I never asked anybody to fix it. That IP even hosts several websites and that's why I say Google can't detect that you are using a VPN. How could they possibly detect it anyway? It would kind of defeat the purpose of using a VPN, wouldn't it?
I never even once got a captcha while using a VPN through a "residential" IP.
Re: (Score:2)
Or get a better VPN. You know, one that doesn't get abused so much that the IP address is marked as the origin of "bad stuff".
It's why Tor exit nodes and VPNs and other things get blacklisted so easily - everyone and their dog sees it as a effort-free way to hide their tracks and "do bad things"
You don't need to block V
Re: (Score:2)
>Or get a better VPN. You know, one that doesn't get abused so much that the IP address is marked as the origin of "bad stuff".
That's not how modern VPN detection works. How it actually works is via known lists of IPs of data centres. Essentially as long as your VPN provider wants to provide you with a decent performance VPN, their exit will have to be on a datacentre server somewhere.
And with large entities like google constantly tracking ip addresses that belong to datacentres, they can detect most VPN
Re: (Score:2)
Wow, what an alarming development! (Score:5, Insightful)
New research from Barracuda Networks has revealed that cyber-criminals are increasingly using official reCAPTCHA walls to disguise malicious content from email security systems
Isn't that exactly what a reCaptcha is for, to prevent automated systems from accessing protected resources?
Re: (Score:2)
This made me actually laugh out loud, thank you!
Re: (Score:2)
I hope they never learn about robots.txt files!
reCAPTCHA abuse report triage team ... (Score:1)
https://policies.google.com/?hl=en However if a vigilant user one discovers a bad web site that is protected by reCAPTCHA and wants to report the misuse - there is no place this can be done. Official Google reCAPTCHA page
https://www.google.com/recaptcha/intro/v3.html Dev oriented Google reCAPTCHA page
https://developers.google.com/recaptcha/docs/faq
None of them have an abuse form or contact.
I found an obscure googl