back to article How CAPTCHAs can cloak phishing URLs in emails

CAPTCHA puzzles, designed to distinguish people from computer code, are being used to separate people from their login credentials. Security firm Avanan on Thursday published its latest analysis of a phishing technique that builds on the internet community's familiarity with CAPTCHA challenges to amplify the effectiveness of …

  1. heyrick Silver badge

    An automated scanner gets stopped at the puzzle.

    Surely the correct behaviour is that content cannot be shown to be safe (for varying degrees of "safe"), then it is not. Teach the thing how to recognise a Captcha, so it'll understand that the link isn't the target, but rather an obfuscated step to the target.

    1. Boothy

      Re: An automated scanner gets stopped at the puzzle.

      Also puzzled by this.

      We use a 3rd party categorisation system at work, web sites are categorised by the 3rd party, and put into categories (Social media, news, vendors, dodgy (pirates etc), pr0n and so on).

      The company decides what categories end users can get access to, rather than specific sites. (Although they can allow or block specific sites if needed).

      Anything else, including anything not categorised yet, is blocked. So unless the target site, after the CAPTCHA, is an allowed site, uses wouldn't be able to get to it anyway.

      So basically all sites are blocked by default, unless vetted and added to an allowed category.

      1. DJO Silver badge

        Re: An automated scanner gets stopped at the puzzle.

        So you have a white list.

        Works a treat if you can guarantee the white listed sites are administered well and will never ever get compromised.

        Can you guarantee that?

        White lists are a good additional precaution but not too good on their own.

        1. my farts clear the room
          Thumb Down

          Re: An automated scanner gets stopped at the puzzle.

          Dinosaur!

          ITYM an ALLOW list

          Lists of colours aren't the modern way.

      2. Prst. V.Jeltz Silver badge

        Re: An automated scanner gets stopped at the puzzle.

        So basically all sites are blocked by default, unless vetted

        well , yes , that would avoid this problem.

        Most companies find that technique too restrictive I'd have thought.

      3. doublelayer Silver badge

        Re: An automated scanner gets stopped at the puzzle.

        If your workers only need the internet for a small set of sites, that should work fine. If they need to do more with it, for example if anyone would ever be expected to do online research which could take them to sources you hadn't known about, it won't work. My employer does not do that because, if they did, I'd have hit it about ten times in the last month and that would be low in comparison to others.

      4. William Towle
        Facepalm

        Re: An automated scanner gets stopped at the puzzle.

        > We use a 3rd party categorisation system at work, web sites are categorised by the 3rd party, and put into categories (Social media, news, vendors, dodgy (pirates etc), pr0n and so on).

        Ah yes, I've encountered two instances of those (probably more than that but these were badly configured):

        At one place freshmeat.net was okay except whenever its front page had release announcements for a particular project which due to complicated mathematics being involved used the word "hardcore" in its description

        At another developers couldn't get to useful information on blogs run by kernel maintainers because they fell under "hacking"

        *Sigh*

    2. ShadowSystems

      Re: An automated scanner gets stopped at the puzzle.

      Given how frequently a computer can solve such items while it simultaneously causes Humans to fail to pass (Is that a tree? Telephone pole? skinny giraffe?) then it is *MORE* likely that an automated script to scan the initial URL could solve it, get past it, wind up on the real page, determine it's a scam, & then block the email as crap.

      It's trivially easy for the computer to OCR a PDF for a URL, then follow the path; if the PDF is password locked then quarrentine the attachment as you would any other virus-posative email.

      The idea that one computer can't figure out how to get past what another computer did is somehow not a very plausible one IMO...

      1. Prst. V.Jeltz Silver badge

        Re: An automated scanner gets stopped at the puzzle.

        "then it is *MORE* likely that an automated script to scan the initial URL could solve it"

        huh?

        "The idea that one computer can't figure out how to get past what another computer did is somehow not a very plausible one"

        Sounds perfectly plausible to me - the first computer has been told the answer! *this* is a giraffe etc.

        Also everytime a computer accepts or declines a password this has happened

        Also when a computer encrypts something this has happened

        1. Prst. V.Jeltz Silver badge

          Re: An automated scanner gets stopped at the puzzle.

          "The idea that one computer can't figure out how to get past what another computer did is somehow not a very plausible one"

          I've tried , I just really cant grasp any sort of logic in that statement from any direction.

  2. Number6

    It comes back to my opinion that HTML email is in itself a security hazard. My system is set up to display plain text and considers the presence of HTML to incline it to bounce a message. Stick to plain text, people, you know it makes sense.

    1. yetanotheraoc Silver badge

      HTML email is in itself a security hazard

      from the article "someone could get an email with an HTML attachment that **when opened** directs the user to a CAPTCHA"

      That's the problem right there. Don't open attachments, problem solved.

      1. Prst. V.Jeltz Silver badge

        Re: HTML email is in itself a security hazard

        couldnt someone also get a plain text email that says

        Go to www capchasRus. com

        they are giving away Massive Yachts!

      2. John Brown (no body) Silver badge

        Re: HTML email is in itself a security hazard

        "That's the problem right there. Don't open attachments, problem solved."

        We're an IT company and trying to convince our own people, especially marketing and HR, of this is like Canute trying to stop the tide. Just the other day I got another missive from security about being careful of "suspicious" email, quite literally followed 5 minutes later by a company announcement in HTML, the text as graphics (FFS!!!) and a link to a sharepoint document with a URL so long I couldn't see it all on my phone so was unable to confirm it went to our own domain. 10 minutes after that came a request for information sent to ALL staff asking for personal information on a form at www.office365.com/something, ie not even our own hosting. Both were confirmed by my boss as genuine company emails.

        Sometimes, you just couldn't make it up!!!

        1. Anonymous Coward
          Anonymous Coward

          Re: HTML email is in itself a security hazard

          > 10 minutes after that came a request for information sent to ALL staff asking for personal information on a form at www.office365.com/something, ie not even our own hosting. Both were confirmed by my boss as genuine company emails.

          I once worked for a large email security SaaS company (who frontend the mailservers for a lot of very large/important companies around the world). About a month into the job I received an email from some external domain containing a link (again external) whih the email said to go to and login with company credentials for online training... I ignored it. A couple of weeks later I received an internal email (from HR?) informing me that I had not yet completed mandatory security training, I relied that as I had ignored the previous (external) email I assumed I'd passed as it had looked like a phishing email. Eventually with a bit of back and forth with different departments it was admitted that whilst it looked like a phishing email (and that no-one was ever notified to expect such a "valid" email from that domain) that is was indeed a valid email from the 3rd party online training company that they used and if I did not follow the link to complete the training I would lose my job. Very much a case of "do as we say, not as we do".

          Also when starting at the same company I was given a laptop with a docking station and wireless keyboard and mouse. A couple of days later I pointed out to the IT guy on-site that it was Microsoft's *unencrypted* wireless keyboard and that the encrypted version didn't cost much more. I also showed him a website with a simple hardware diagram (about $20 of parts) and provided software to log keystrokes from these keyboards from approx 10m range (using a "cantenna"). I then pointed out to him the *public* car parking spaces down the outside wall of our building about 2m from my desk where anyone could potentially sit with such a logging device - he was visably unimpressed and unconcerned.

          Apparently about 2 years later they finally switched to encrypted wireless keyboards...

          Then again the local office of another well known IT security company (known for their opensource pentesting toolkit) have had this office broken into at least twice and on each of the 2 or 3 times I was there for MeetUp events there was no-one manning either their office door or their main officefloor and so I, like everyone else, walked through their openplan office, past whiteboards with company info on them, past multiple desktops (easy to quickly install a physical keylogger) to get to/from their conference room around the corner of their L-shaped building floor (and so their conf room was out of sight of their office). Security? They've heard of it...

    2. vtcodger Silver badge

      A bad idea

      Of course HTML email is a security risk. That was pointed out (and ignored) two and a half decades ago when the notion was first broached.

      Sort of like website scripting is a security risk. But it not only still exists, but is the only possible future for the Web. At least if you believe Google.

      The key to understanding why these dubious ideas are embraced seems to be that the individual/organization at risk is not the one creating the questionable material. It's those trying to use it.

    3. doublelayer Silver badge

      Ah, with plain text, there's no risk. There's no way it could look like this:

      New required training from HR. Please complete this training by the end of this month through our external training provider and acknowledge completion. Take the training here: https://convincingfakeprovidername.training/2In2lc4Z

      With that URL leading to a captcha to throw off a scanner looking for URLs. Are you about to ban them as well? The same tactic can be used by putting the URL and/or link in an attachment, which could be PDF, DOCX, ODT, or HTML itself, whatever is most likely to be opened by a user. Somehow, you assume that having a link that doesn't show the URL makes this worse even though a user can see the URL and all the security training suggests that they do. The users who still don't check would often cheerfully load even very suspicious URLs.

  3. Boothy

    "Given how often the average user fills out a CAPTCHA challenge..."

    How often is this? The statement implies this is a regular thing for 'average' users, but for myself, I get a CAPTCHA very rarely!

    And for ref, I use a lot of different sites and services, forums, gaming wiki's, news sites, banks, distro sites, retailers etc etc. I can't even remember the last time I saw a CAPTCHA, must be at least a couple of months back!

    And I certainly never get them for anything work related.

    Do some people get these a lot?

    1. the spectacularly refined chap Silver badge

      Re: "Given how often the average user fills out a CAPTCHA challenge..."

      How often is this? The statement implies this is a regular thing for 'average' users, but for myself, I get a CAPTCHA very rarely!

      Same here. Except for ID checks that I was expecting (new employers and so on) I can't recall ever jumping through such hoops for either personal or work email.

      In fact asking me to do things like that is a good way to get ignored. The way I figure it is that it was you whom emailed me, so you want MY attention. I get more than enough email as it is so it you want my attention don't throw roadblocks in the way to getting it - that just gives me an excuse to ignore you.

    2. wub

      Re: "Given how often the average user fills out a CAPTCHA challenge..."

      Running Firefox with NoScript set fairly severely along with uMatrix and an unhelpful cookie policy, I see them all the time. There are a number of retailer's sites which simply tell me,

      "Access Denied

      You don't have permission to access "http://www.[our site].com/" on this server.

      Reference #[alphanumeric soup]"

      after I enable first-party Javascript in NoScript and reload the page.

      Their loss.

      Thunderbird set to show plain text only gives me a very interesting view of "modern" email messages. I still remember the first time I ran across a comment section inside the HTML in an "email" message.

    3. wub

      Re: "Given how often the average user fills out a CAPTCHA challenge..."

      Running Firefox with NoScript set fairly severely along with uMatrix and an unhelpful cookie policy, I see them all the time when browsing. There are a number of retailer's sites which simply tell me,

      "Access Denied

      You don't have permission to access "http://www.[our site].com/" on this server.

      Reference #[alphanumeric soup]"

      after I enable first-party Javascript in NoScript and reload the page.

      Their loss.

      Thunderbird set to show plain text only gives me a very interesting view of "modern" email messages. I still remember the first time I ran across a comment section inside the HTML in an "email" message.

      To be more focused on captchas in email, I don't follow the links very often (less often now that I've read >this< article), I can't say I've seen that yet.

    4. Prst. V.Jeltz Silver badge

      Re: "Given how often the average user fills out a CAPTCHA challenge..."

      "Given how often the average user fills out a CAPTCHA challenge..."

      True, also when they do - its not on the front page of a site , It'll be on the login page , behind the login button.

      Any link sent in an email that goes straight to a capcha deserves to be blocked in my opinion

      No legitimate site would send you to a link for their outsourced capcha rather than whatever precedes that on their site.

      1. fidodogbreath

        Re: "Given how often the average user fills out a CAPTCHA challenge..."

        No legitimate site would send you to a link for their outsourced capcha rather than whatever precedes that on their site.

        Google does that on their search page when you hit it from certain VPN endpoints. In their case the challenge is not outsourced, but that's just because they run their own CAPTCHA system.

        1. Charles 9

          Re: "Given how often the average user fills out a CAPTCHA challenge..."

          Can also happen if you hit a Cloudflare-backed site from anywhere strange (a VPN or TOR endpoint, someplace atypical for the site, etc.). Basically, any place that runs the risk of a DDoS, which can be more places than you think.

      2. Emir Al Weeq

        Re: "Given how often the average user fills out a CAPTCHA challenge..."

        I see them all the time as a TOR user. The most recent was about 10 minutes ago visiting theregister.com

        I had to identify "vertical rivers".

        1. Prst. V.Jeltz Silver badge

          Re: "Given how often the average user fills out a CAPTCHA challenge..."

          sounds like hard work

    5. mark l 2 Silver badge

      Re: "Given how often the average user fills out a CAPTCHA challenge..."

      If you don't get many CAPTCHAs that suggest you never block any trackers or 3rd party cookies etc. I do get them frequently, but figure its part of the downside of not letting big tech track me across every site I visit.

      I even have to login to Elreg every time i come on to make a comment as it doesn't remember that I have been using this site for about 20 years.

  4. Paul Crawford Silver badge

    Simpler just to block any CAPTCHA from email links. If that breaks the service then too bad, it is a shit service in the first place.

    If it were for real security then it would have some form of 2FA, so no need for the CAPTCHA in the first place.

  5. Jeff 11

    Given that an email link can be customised to identify an individual recipient's visit it strikes me that there's practically zero legitimate need for a CAPTCHA anyway for any well built system.

    "Avanan, which sells an AI-based service that competes with traditional SEGs, unsurprisingly doesn't think much of these gateways and says it has new evidence to support its claims."

    I have around an equal level of confidence in an AI-based system as a rules-based one: except with rules-based systems you can tell your users with confidence what sort of scams they are and aren't protected against, whereas with AI, it's a case of "most should be filtered out, but watch out for literally anything for those 1-2% of times where the AI doesn't work (yet)".

  6. Eclectic Man Silver badge

    Timing

    Every now and then when logging on to my account to tread 'The Guardian'* newspaper, I get asked to prove I'm not a robot with a 'captcha'. But that is after I have entered my log-on credentials. So maybe just be extra careful about when you are asked to enter your log in details.

    *I suppose this makes me a 'leftie', but I do read the Financial Times occasionally and also the "i". And the BBC, and Astronomy Picture of the Day.

  7. Mike 137 Silver badge

    Paying attention may not be enough

    "That means paying more attention to the URLs associated with CAPTCHA forms"

    In a world where a high proportion of URLs include a path component that's utterly incomprehensible (commonly an apparently random string over 100 chars in length) or are 'shortened', it's largely impossible to identify potentially malicious content before accessing it.

    As far as I'm aware, the only reasonably safe protection is for every request to be passed through an external specialist security proxy that checks its target for malicious content before forwarding it to the requester. And that would include both the request for the CAPTCHA, the request for submitting it and the request in the referral that results. So the automation would not have to compete the CAPTCHA as the user would do that. The automation would instead check the legitimacy of each step in the overall transaction.

    The biggest problem we face on the web is unwitting and often unwarranted trust in content, so something between it and us has to check every request target dynamically for trustworthiness. But these checks must get much more sophisticated than at present. Particularly the tools that check emails are still too crude to avoid large numbers of both false positives and false negatives.

    1. Flightmode

      Re: Paying attention may not be enough

      In a world where a high proportion of URLs include a path component that's utterly incomprehensible...

      Did anyone else read this in The Movie Trailer Voice?

      1. TRT

        Re: Paying attention may not be enough

        Redd Pepper?

        1. Anonymous Coward
          Anonymous Coward

          Re: Paying attention may not be enough

          If that link leads to a CAPTCHA....

    2. Roland6 Silver badge

      Re: Paying attention may not be enough

      >As far as I'm aware, the only reasonably safe protection is for every request to be passed through an external specialist security proxy that checks its target for malicious content before forwarding it to the requester.

      That effectively is what the web access component of a client PC's AV security suite does. Also in addition Chrome and Firefox will block URLs/websites known to their inbuilt security protection schemes.

      Hence as far as I can see the problem is more about the email spam filter not correctly identifying spam and thus the user getting to click on spam attachments and the action being caught by other security system components. So this is just an example of what the security experts around here keep saying: security in depth...

  8. Charlie Clark Silver badge

    What's new?

    Phishing has for a while relied on bouncing users around various URLs in a way that gateways generally can't because the resources required to run browser engines would grind servers to a halt. In such cases, protection is best done in the browser using one of your favourite ad and script blockers. Oh, and routinely providing spam and scam training for employees.

    1. TRT

      Re: What's new?

      Yes. This story, to me, reads as "this is yet another way to prevent automated path trailing to resolve block listed threat sites".

  9. DS999 Silver badge

    Ugh

    One more thing to worry about. I can recall a few times when I was presented with a captcha, then asked for my login/password again. Was I phished, or did the site just have a crappy design?

    Fortunately the only sites using captchas are ones I don't really care about having my password stolen on. It isn't like my bank or brokerage is using them - and I'd immediately switch if they did and tell them why!

    Already I tend to limit or eliminate visits to sites that require captchas because I find them highly annoying, and object to providing free help to train Google's image recognition. Which is why I will usually spend a minute getting the captcha wrong so I can poison Google's database...

    1. Emir Al Weeq

      Re: Ugh

      "I will usually spend a minute getting the captcha wrong so I can poison Google's database"

      So it's not just me who does that. I did wonder if I was wasting my time, but if enough of us do it...

      1. John Brown (no body) Silver badge
        Joke

        Re: Ugh

        "but if enough of us do it..."

        ....Carmageddon when Google release their self-driving cars!!

    2. Anonymous Coward
      Anonymous Coward

      Re: Ugh

      It's better to give them the silent treatment, and block everything involving g-----.

  10. iron

    "To the end-user, this doesn’t seem like phishing but more like a nuisance"

    An email from an unknown party which includes a password protected PDF that claims to be an unsolicited FAX? Well to this end user that screams phishing / virus / scam and would warrant deleting without opening it.

    Obviously there are users who will open it but there are also users who would open the attachment if it was labeled "THIS WILL DESTROY YOUR COMPUTER AND EAT YOUR BRAIN.pdf"

    1. Charles 9

      The problem becomes if the user in the latter case happens to be up top...

  11. John Brown (no body) Silver badge

    tell people...to supply the intelligence automated systems can't quite manage.

    Based on some people I deal with, they are not as intelligent as the automated systems! We're dooooomed!

  12. Anonymous Coward
    Anonymous Coward

    Read all about it.

    Vendor discovers new attack that only their solution can solve.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like