View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
September 10, 2019updated 06 Jul 2022 10:42am

These Hackers Were Hiding Malware Behind a Captcha

"When checking these against domain reputation databases we receive a false negative and the pages come back as safe.”

By CBR Staff Writer

Hackers are using Captcha methods to bypass automated URL analysis, say security researchers at US-based Cofense, in just the latest creative move by cybercriminals to evade traditional malware detection methods.

The technique lets them fire phishing emails en masse in a manner that bypasses secure email gateways, e.g. that of Mimecast.

The move was identified by Cofense in a campaign in which it was essentially the second phase of a wider network compromise; once hackers obtained the login details of one employee’s account they then used this to amass as many credentials as they can by sending out emails to other employees.

These emails claim to contain a voip2mail voicemail from a colleague. The message itself is simple in design as seen below.

If someone clicks the link to hear the voice message they are then redirected to a website which immediately asks you to do a Captcha verification test. Upon passing this the user will be asked to select a Microsoft account and login. All data input into this login page is captured by the hacker.

The clever part of this hack is that the Captcha verification test is conducted on a different webpage: hitting the Captcha button is the redirect to the webpage containing the malware. This layering of a clean page on top of an infected login page is where normal security scans are bypassed.

Bypassing Secure Email Gateway

Bypassing Secure Email Gateway

When a secure email gateway (SEG) scanned the website link contained in the voicemail it could only scan as far as the Captcha website, which got a clean bill of health. This effectively blocks the SEG from doing its job through the use of a layered webpage.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Cofense researchers noted: “Both the Captcha application page and the main phishing page are hosted on MSFT infrastructure. Both pages are legitimate Microsoft top level domains, so when checking these against domain reputation databases we receive a false negative and the pages come back as safe.”

See Also: Galileo Hits 1 Billion Smartphone Landmark

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.