Google’s reCAPTCHAs Being Used for Phishing Scams

Users from a Polish financial institution were the target of a clever phishing campaign that used Google’s reCAPTCHA system to generate trust among victims. By using the company’s well-known mechanism, users were lured into the scam, making them think that they were browsing a secure site.

The malicious landing pages were masked by using the system developed and used by Google, which is widely present online to avoid the use of bots in many websites and apps.

How Did It Work?

Email messages were used to infect the user with a malicious PHP file. This file was responsible for downloading the BankBot malware, as it was generally named.

Mostly targeting Android users, the trojan malware was capable of impersonating banking apps, tricking the users to expose their sensitive information. Other mechanisms were also implemented in order to cause interaction with the malware, as sending push notifications and text messages.

According to reports on the BankBot malware, when operative it was also dedicated to stealing private information contained in SMS, contact files, and call logs.

Panic/Bait Techniques

In previous articles on this blog, we have mentioned the importance of paying attention to suspicious phishing attacks, which often attempt to try us by causing panic.

In reports on the BankBot malware, it was stated that panic/bait techniques were used to attack the targets. Users would receive a quite alarming email in order to redirect them to the phishing landing page. Information about a recent transaction would be used in order to generate enough panic, causing the user to download the PHP link by clicking the link.

The 404 Page

When the user was redirected, he or she would land in a fake 404 page. There, the malicious Google’s reCAPTCHA would appear, generating trust among users and leading them to proceed and browse further.

However, there were some distinguishable red flags regarding the fake reCAPTCHA used by the malware. First, the same images were used every single time, as the PHP file was unable to use new ones. Also, the audio replay feature that works well in the genuine version didn’t work properly here.

In this moment, the PHP file would determine which type of malware was needed to infect the target user. The options were an .apk file for Android users and a .zip for computers.

Further Efforts

So far, Google has achieved to removed thousands of apps during the last few years that were detected as trojanized with the BankBot malware and similar agents. Efforts to reduce the reach of this malware continue. Multiple reports created by cybersecurity experts have helped to achieve this. However, it is known that the malware’s source code was made public three years ago on underground forums, which means that iterations of this  trojan are possibly operating right now as we speak.

On the cybercriminals’ side, new tactics are being implemented in other to increase the phishing attack effectiveness. Good examples are making landing pages more legitimate by including Google Translate and custom fonts.

Experts insist on the importance of paying attention to odd messages and landing pages. Most panic alerts supposedly coming from banks have a fraudulent nature, so being cautious is always the smartest option.