You’re likely familiar with CAPTCHAs, even if you don’t necessarily know their name. They’re the challenge-response tests (CAPTCHA is an acronym for Completely Automated Public Turing test to tell Computers and Humans Apart) that most commonly involve asking the user to correctly identify various squiggly letters or numbers that are difficult for a computer to recognize.
Since their invention, various different types of CAPTCHA have been developed — ranging from the aforementioned squiggly characters to ones that ask users to answer a simple math problem, identify different parts of a picture (such as clicking every segment of an image that features a road sign) or just tick a box to indicate that, yes, you’re a human.
The rise of CAPTCHAs online reflect the increased use of bots online, carrying out tasks ranging from indexing search engines to malicious or annoying exploits such as spamming. CAPTCHAs are not a perfect solution to the question of whether a particular user is or isn’t a bot. By design, they slow down the user experience by asking them to solve problems that, in the case of some users, can prove difficult.
But there’s another, newer threat as well. Cybercriminals have recently found a way to abuse CAPTCHAs by exploiting them to enable downloaded malware to spread more easily. This can be done by leveraging CAPTCHAs to bypass automated detection.
Malicious web links and phishing threats
As discovered by Microsoft’s Security Intelligence team, a cybercriminal group named CHIMBORAZO has been distributing a malware-infected Excel document which redirects users to a page containing a Google reCAPTCHA (Google’s version of the CAPTCHA) that, once solved, downloads a password-stealing trojan called GraceWire.
This method of getting users to download malware is particularly duplicitous because it exploits both the unsolvability of CAPTCHAs (at least, by bots) and a feature with traditional email virus detectors designed to halt automated malware downloads, while letting manual downloads through. This exploit relies on the fact that automated site scanners are unable to overcome CAPTCHAs, and the SEG (secure email gateway) therefore classes the webpage as safe because it can only scan to the point of the CAPTCHA request, which does not, on the surface, include any malware. By making it appear as though the user has manually elected to download the program (even though, in reality, they do not realize they are doing so), the exploitable code increases its chances of avoiding detection.
This is not the only example of cybercriminals exploiting CAPTCHA-based evasion. In 2019, a phishing campaign involved sending emails, supposedly containing a voicemail from a colleague. But when the user clicked the link to supposedly be taken to the voice message, they were prompted to enter a CAPTCHA for security purposes, before entering login details to their Microsoft account. These login details were then stolen by the attackers.
Protecting against these attacks
Individually, knowledge of these malicious campaigns can help users protect against them. Phishing campaigns rely on the fact that unwitting users will click on questionable links or assume that emails are legitimate without necessarily doing all of the checks they should to confirm the identity of the sender.
However, while companies should ensure that they provide up-to-date training to employees about best practices, cyberattacks are getting smarter all the time. Phishing scams no longer rely on the “spray and pray” technique that sends identical messages out to large numbers of people. Instead, they increasingly use personalized information to make it appear that emails and other messages are legitimate.
Users can still protect against scams like the ones mentioned above by, for instance, avoiding completing CAPTCHAs on spreadsheets sent to them by email — but this requires up-to-date information about cybersecurity threats and the knowledge of cybersecurity experts who can warn about these threats early enough for them to be avoided.
Bring in the experts to help
CAPTCHAs aren’t going away any time soon. Although they are far from perfect as a security solution, they remain widely used as a means of trying to sort genuine users from fakes. Companies and organizations therefore need to make sure that they are fully protected against malicious websites. One simple step is ensuring that web browsers are kept up-to-date, thereby protecting against the greatest number of known threats.
However, given the scope of the threat, you may also want to go further. Employing the right cybersecurity systems can mean more thoroughly inspecting users’ web traffic and offering the right endpoint protection solutions. These comprehensive security tools will ensure that attacks such as the ones mentioned above are not leveled against your organization.
Malware can be devastating to companies, whether it leads to threats such as ransomware attacks or is used to compromise passwords so as to illicitly gain access to systems. Fortunately, help is at hand when it comes to protecting against these risks. It’s just important that you take the right steps to protect yourself.