A Newly Discovered Phishing Campaign Is Using A Fake Google reCAPTCHA System

• Security researchers from Sucuri published a report on an email-based phishing campaign targeting Android and desktop users.
• The phishing campaigns deploy emails with PHP links containing landing pages with a fake reCAPTCHA system.
• The trojan in the landing page is detected by most antivirus solutions, and it should not pose a threat to desktop users.

Security researchers from Sucuri have discovered a new phishing campaign targeting a Polish bank and its users. The attackers are using a fake version of Google’s reCAPTCHA system to lure unsuspecting users into giving up personal information. The phishing campaign is being conducted via scam emails that contain malicious .PHP files.

The scam emails contain messages stating that certain transactions need to be verified by users. Anyone who opens the PHP links is taken to a landing page that is authenticated by a fake version of the reCAPTCHA system. Seeing Google’s own authentication method being implemented on the page can make victims think the landing page is legitimate.

Image Courtesy of Sucuri

According to Sucuri, the page does a great job of replicating Google’s reCAPTCHA. However, the images shown in the authentication requests are always the same which can raise some suspicions amongst users if they are unable to clear the authentication method at one go. The fake version also does not support audio replay which can also raise some red flags amongst those who are familiar with the platform.

The trojan is detected by various antivirus software, and the developers did not deploy any complex measures to be more secretive. The malware is most commonly seen in Android devices as it is able to view private data like contacts, location, SMS data, call logs and other sensitive information.

With Google changing how the reCAPTCHA system works, users will be familiarized with the new reCAPTCHA 3 system making the current phishing campaign less likely to work. The upcoming revamped version of the authentication system will require no user input and Google will use advanced algorithms to authentication users.

What do you think about the malware using the fake reCAPTCHA system? Let us know in the comments below. Come chat with us on Facebook and Twitter.