Fake Google reCAPTCHA are spreading targeted towards bank users. The phishing campaign is targeting Polish banking institutions and account holders in an attempt to steal private credentials.
Researchers at Scuri found that hackers were sending phishing emails impersonating confirmations of transactions on users’ accounts along with a link containing a PHP file. The email asks users to confirm their transaction which alerts users to promptly click the malicious link. If users click on the link, instead routing them to a page resembling the bank, they see a fake 404 error page.
Luke Leal at Scuri commented saying:
“This makes it a bit more unique from the phishing content that we typically find, which often consists of a PHP mailer and file(s) used to construct the phishing page itself. In most cases, it’s just a replica of the login page for whatever institution they are targeting.”
The 404 page is targeted towards Google crawlers. Crawling is used by Google find new and unknown pages that exist on the web. Googlebots are constantly searching for new pages and adding them to a known list. So, in this case if crawlers examine the link when it opens they see a 404 error page.
However, if the request to the link passes through, the PHP code opens up a fake Google reCAPTCHA. reCAPTCHA is an authentication method used by Google to tell apart humans from bots, protecting sites from spam.
According to researchers, the fake reCAPTCHA looks very real and does a good job of convincing users its real. However, unlike the real version this does not support audio replay and produces the same images each time.
After the reCAPTCHA is filled and verified, the PHP then decides whether to download a .zip dropper or a malicious APK on the user’s device. To determine which malware to download the PHP checks the user’s browser. If the victim is using Android, a malicious APK file is installed and if the victim is not using Android a .zip dropper is installed.
Leal also stated:
“The malicious directories used in these campaigns are uploaded to a website after it has been compromised. When dealing with this type of malware, it is important to delete the files contained in a complaint., however; we strongly encourage administrators to scan all other existing website files and database for malware as well. You’ll also want to update all of your passwords to prevent the attackers from accessing the environment again”
Contact LIFARS today for phishing attack simulation services on your organization
