Cybersecurity specialists have detected an attack in which threat actors steal Office 365 access credentials using CAPTCHA tests, usually used to determine whether the users of a website are humans or automated programs (bots). In previous attacks, malicious hackers have proven capable of using these tools to bypass automated tracking systems.
The goal of this attack is to use three CAPTCHA controls to redirect users to a fake Microsoft Office 365 login page.
According to the experts at the Menlo Security firm, threat actors try to make this phishing site look as real as possible, as users often associate CAPTCHA tests with the security of their information. This attack also allows hackers to bypass automated tracking systems that try to locate phishing attacks on the network.
The implementation of multiple CAPTCHA tests is common, because in case the first challenge is defeated, the rest can function as a better security measure, employing different images. In this case, the user is redirected to a second CAPTCHA that requires them to select, for example, all the image tiles that match bikes, followed by a third CAPTCHA that asks them to identify another image.
In the attack, users who pass all CAPTCHA tests implemented by threat actors are redirected to a phishing site disguised as an Office 365 login page, where their credentials will be extracted. Malicious hackers have previously used similar attacks to access Microsoft accounts. Months ago security specialists also detected a phishing campaign using sites disguised as subpoenas delivering site but actually was stealing Office 365 users’ credentials.
According to the researchers, this phishing campaign shows that cybercriminals keep improving their tactics aiming to steal victims’ credentials.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.
