Scammers are using a fake Google reCAPTCHA tool in a phishing campaign aimed at high-ranking employees at global organizations in an attempt to snag login credentials.
A security research firm, Zscaler reported last week that it prevented 2,500 Microsoft-themed emails using a fake reCAPTCHA and that the phishing campaign has been going on since December.
Zscaler’s research team called “ThreatLabZ” noted that the targets are usually senior employees in the banking industry. Data Breach Today explains that “The campaign begins with attackers sending victims phishing emails that appear to come from a unified communications system used for streamlining corporate communication. This email contains a malicious email attachment.
Once the victims open the attached HTML file, they are redirected to a .xyz phishing domain which is disguised as a legitimate Google reCAPTCHA page in order to trick the users.
After the reCAPTCHA is verified, the victims are sent to a fake Microsoft login phishing page. Once the victims have entered their login credentials on the attackers’ site, a fake message “validation successful,” is prompted to add legitimacy to the campaign.”
Who is Responsible?
Although Zscaler calls these attacks business email compromise (BEC) incidents, the fact that the sender of the email imitates a commonly used unified communication system, they are unable to identify the specific hacker group responsible.
What are Phishing Campaigns?
Phishing campaigns have been on the rise since early 2020, with the start of the pandemic. Phishing is when a nefarious criminal or hacker group imitates a legitimate company and sends out emails to employees, customers, vendors, or individuals. They use scare tactics to get victims to click a link, enter credentials, offer personal information (used for identity theft and fraud) or download an attachment. Sometimes, the links in a phishing email connect to a spoofed website with malicious software, and when the user clicks, their device is infected with malware or ransomware, creating even more problems.
Over the past year or so, phishing campaigns have been used more frequently and often target company officials. More than 85% of data breaches are caused by phishing emails. These types of attacks are very convincing and compelling, which makes them very dangerous. Employees may get an email that appears to come from their boss, and they could offer up login credentials or other sensitive company information and hit send before realizing that the email address was faked and they just sent private information to a hacker.
Targeted or spear-phishing campaigns are when bad actors use personal information about a specific target to get them to trust and hand over whatever the hacker desires. For example, they may use stolen data breach information on the dark web to identify someone’s password (from another website) and then send it to that person in an email saying their password has been compromised. The person recognizes the old password thinking it must be a legitimate warning. They click without thinking and enter their new password or username directly into the hands of thieves.
The Social Engineering Factor
Social engineering has been honed to a fine art used by various hacker groups. Social engineering is when someone with malicious intent tricks another person into trusting them or believing that they are someone else. Once this bridge of trust is in place, they go in for the kill. Sometimes the ruse is for fraud, and other times it is simply to obtain private information for a larger score later. Stolen credentials earn top dollar on the dark web.
Email attacks are very commonplace, and no individual or company is immune. The best defense is knowing how to deal with phishing campaigns and best practices for email safety.