How attackers are using ‘CAPTCHA’ tests to avoid detection and download malware

A recent technique employed by cyber-attackers to remain undetected and install their malicious software is to utilise ‘CAPTCHA’ tests (i.e., ‘I am not a robot’ checks). Google’s ‘reCAPTCHA’ is often used as well as various other fake variants.  

The tests are very common online, used to prevent bots from automating the service, and come in different forms such as clicking all the images containing a certain thing or copying the distorted text displayed. 

Using these validation functions, however, can also prevent security services from rooting out harmful material. Phishing, malware and grayware can be hidden behind the pseudo-checks. 

“Hiding phishing content behind CAPTCHAs prevents security crawlers from detecting malicious content and adds a legitimate look to phishing login pages,” according to a report by Pal Alto Networks’ Unit 42, who have covered the issue in great detail. 

Unit 42 found 7,572 unique URLs over 4,088 pay-level domains within the last month using the method.

Increasing prominence of malware and grayware 

Beyond phishing, there has been a rise in scam campaigns and malicious gateways using CAPTCHA evasion.  

“Survey and lottery scams are some of the most common grayware pages”, they say.   “In exchange for a fake payment or chance at winning the lottery, the user is lured into disclosing sensitive information, including address, date of birth, banking information, annual income, etc.” 

Malware delivery pages abusing CAPTCHAs are also growing in frequency. A recent example involves a suspicious URL that downloads a file when attempting to watch an embedded YouTube video.  

Once the play button is clicked, the browser downloads a file, and the site displays a CAPTCHA image on the screen. The browser will pop-up a warning suggesting that the file may be malicious and prompts you to either select to ‘Keep’ or ‘Discard’ the file. 

The way the site gets around this is via a CAPTCHA technique involving the pressing of a series of keys, ending with the Tab key, which selects to ‘Keep’ the file, followed by the Enter key which will then download the file once pressed. 

The Gozi banking trojan is then downloaded onto the computer, stealing account credentials, downloading additional malware and executing other commands issued remotely by the attackers. 

More than just preventing detection 

A report by cybersecurity and compliance firm Proofpoint has suggested part of the reason why the number of CAPTCHA scams has risen is due to the work-from-home environment resulting from the pandemic, ensuring that people continue to be the most critical factor in cyber-attacks.  

Proofpoint state in their report the use of CAPTCHA in attacks registered a fiftyfold increased compared to 2020.  

When explaining the use of CAPTCHA in malicious campaigns they suggest that some threat actors use them as a way to ensure they are delivering malware to a real user, instead of just a security sandbox. 

Positives for the future 

In the Unit 42 research, while suggesting CAPTCHA scams may be on the rise, techniques to detect malicious content are available.  

One of the flaws of using CAPTCHA is that the malicious campaigns reuse CAPTCHA service keys, “either to simplify their malware infrastructure or to avoid being blocked by the legitimate reCAPTCHA provider for creating too many CAPTCHA accounts and keys,” they explained. 

In the report commissioned by Palo Alto Networks, an example shows by observing sub-requests on pages the ‘reCAPTCHA API key’ can be parsed out and searched for on other pages, giving the ability to find other similar pages. The keys can also be extracted from the HTML. 

There are other detection methods too, such as: static URL analysis – looking at URL patterns to identify malicious sites; traffic analysis – examining HTML traffic and content analysis, where the HTML is analysed with tools such as malicious JavaScript analysis.  

Unit 42 concluded their report by saying that although “mass phishing and grayware campaigns have become more sophisticated, using evasion techniques to escape detection by automated security crawlers … when malicious actors use infrastructure, services or tools across their ecosystem of malicious websites, we have a chance to leverage these indicators against them. CAPTCHA identifiers are one great example of such detection by association.” 

Conclusion 

The key takeaway from this should be to always be wary as to whether the CAPTCHA checks you are doing online are really for a legitimate purpose. Always check the URL of the page to ensure it is not a malicious site disguised as a real one. CAPTCHAs may be being used more frequently but at the same time the defence against them is also improving.