Menlo Threat Labs Uncovers a Phishing Attack Using Captchas

Menlo Security’s iSOC—our isolation-powered SOC service—identified a credential phishing campaign targeting the hospitality industry. Menlo Labs researchers decided to take a deeper dive into the campaign and I’m glad we did, because it sure turned out to be an interesting one.

We’ve always known that attackers have two primary strategies to increase their probability of success, and they go to great lengths to achieve these goals:

1. Make their credential phishing attacks look legitimate
2. Prevent security researchers and automated tools from detecting their infrastructure.

To make credential phishing attacks look legitimate, attackers need to ensure that:

1. Their emails are sent at the right time.
2. Their credential phishing landing pages look exactly like the web property from which they are trying to steal credentials.
3. The email body is convincing enough to make the user click on the link.

All this requires a certain amount of creativity combined with some serious reconnaissance skills to ensure a higher probability of success. Attackers also need to ensure that security researchers or other automated systems don’t identify their pages/infrastructure. Some of the techniques we’ve observed are:

1. Redirecting pages to legitimate pages if the user is not egressing from a range of IP addresses the attack was intended for.

2. Checking if users geolocation matches the geolocation of the victim enterprise.

The phishing attack that we identified was trying to pose as a Microsoft Office 365 page. Microsoft happens to be the brand that is most phished across our customer base. This is a result of the increased adoption of O365 by many enterprises and cyber criminals are looking to take over legitimate accounts and use them to launch additional attacks within the enterprise.

To defeat automated crawling systems and ensure that a human is interacting with the page, the attackers put the credential phishing page behind layers of visual captchas, so the user would have to click the right set of images to ensure that they are not a bot. The following screenshots show the workflow of the attack. Figure 1 explicitly asks the user to check that they are not a robot. This is common and a lot of websites, such as LinkedIn and Google, prompt users to do the same. Two important things are happening here. The first is that the user is made to think that this is a legitimate site, because their cognitive bias has trained them to believe that checks like these appear only on benign websites. The second thing this strategy does is to defeat automated crawling systems attempting to identify phishing attacks.

Figure 1

Figure 2

In addition to the first check, the attackers have designed two other captchas, in case the first one gets defeated by automated systems. Figure 2 shows the second captcha that appears. This captcha technique requires the human to select all the picture tiles that match bicycles, followed by another captcha in Figure 3 that asks the human to identify all the pictures that match a crosswalk. If all these checks pass, then the user is taken to the final landing page, which attempts to steal the user’s credentials for O365, as seen in Figure 4.

It should be noted, however, that the attackers do not use the same captchas. In our testing we came across at least four different images that were presented.

Figure 3

Figure 4

Conclusion

Phishing is the most prevalent attack vector affecting enterprises. These attacks take advantage of our inherent cognitive biases and fool us into entering our credentials. That bias, combined with the tactics used by attackers, make these attacks very successful.

To learn more about email phishing, download our eBook: Protecting Against Email Threats.