Cybercriminals are taking advantage of the widespread interest in COVID-19, using reCaptcha walls to lure unsuspecting users.

Cashing in on intense public concern around COVID-19, as well as increased reliance on the Internet with millions of people now working from home, cybercriminals are using a variety of coronavirus-themed phishing campaigns to distribute malware, steal credentials, and scam users out of money.

New research from Barracuda shows a steady increase in the number of COVID-19-related spear-phishing attacks since January 2020, a trend which continues to gather speed as the pandemic continues, up a massive 667% since the end of February.

Phishing campaigns are quickly becoming more sophisticated, with many now using reCaptcha walls to block URL scanning services from accessing the content of phishing pages. The reCaptcha walls prevent email security systems from blocking phishing attacks and make the phishing site more believable in the eyes of the user.

Typically, ReCaptcha walls are used to verify human users before allowing access to web content, but scammers have begun using the Google-owned service to prevent automated URL analysis systems from accessing the actual content of phishing pages.

According to the research, one phishing campaign had sent out more than 128,000 emails to various organizations and employees using reCaptcha walls to conceal fake Microsoft login pages.

CybersecAsia discussed the rise in the use of real reCaptcha Walls in phishing campaigns with James Forbes-May, Vice President, Barracuda, Asia-Pacific:

What are the various ways that cybercriminals are using reCaptcha walls?

Forbes-May: Cybercriminals are using legitimate reCaptcha walls to disguise malicious content from email security systems. They are also used to fool users into thinking a website is authentic.

While some campaigns simply spoof the reCaptcha box, which only contain a checkbox and a form, the use of the actual reCaptcha API is becoming increasingly common. For example, one campaign that Barracuda detected is using this technique to obscure fake Microsoft login pages. The phishing emails contain an HTML attachment that redirects users to a page with a reCaptcha wall. Once the user solves the reCaptcha, they are redirected to the actual phishing page, which spoofs the appearance of a common Microsoft login page.

How is this tactic more effective for cybercrime, and more dangerous to users?

Forbes-May: Cybercrime, particularly phishing scams work by lulling users into a false sense of security. They can do this through many methods, such as brand impersonation through use of email and websites that have been carefully designed to resemble the brand or organisations they claim to be.

The malicious use of reCaptcha is an increasingly common tactic to evade detection, which lulls users into feeling safe and protected, when in fact, it’s quite the opposite. We are so used to solving legitimate reCaptcha forms on websites that we access every day, that we are less likely to ask any questions when one pops up – even somewhere where there wasn’t one before.

This approach is undoubtedly more effective in deterring automated scanners because a fake reCaptcha box could easily be programmatically bypassed by simply submitting the form. Malicious use of real reCaptcha walls helps prevent automated URL analysis systems from accessing the actual content of phishing pages, which also lends more credibility to the phishing site, making users more likely to be tricked.

Why has the COVID-19 pandemic made business users more susceptible to phishing attempts like this?

Forbes-May: With more businesses working from home, the distracted environment creates more potential targets for cybercriminals.  Phishing campaigns are often linked to subject matter designed to lure users into clicking. We are continuing to see COVID-19-related content being used to do this, as scammers make the most of people’s increased interest in health and the virus. We have observed a spike in this type of attack, up 667% since the end of February.

Cybercriminals are incredibly good at leveraging emotions in order to elicit responses to their phishing attempts, and the fear, uncertainty, and even sympathy stemming from the coronavirus COVID-19 situation, attackers have found some key emotions to leverage.

For example, we saw one blackmail attack that claimed to have access to personal information about the victim, know their whereabouts, and threatened to infect the victim and their family with coronavirus unless a ransom was paid. Barracuda Sentinel detected this particular attack 1,008 times over the span of two days.

What tips do you have for users to better protect themselves from reCaptcha wall phishing attacks?

Forbes-May: Raising security awareness with end-user training and spear-phishing simulation to create a “human firewall” is the most important step against malicious reCaptcha walls. This helps educate users on the essentials of staying protected against email-based phishing attacks.

Instead of assuming a reCaptcha is a sign that a page is safe, users should exercise scrutiny when seeing reCaptcha walls, especially in unexpected places where legitimate walls have not been encountered in the past. As with any email-based phishing, checking for suspicious senders, URLs and attachments will help users spot this attack before they get to the reCaptcha.