New Phishing Campaign Exploits CAPTCHAS to Target Hospitality Industry: Researchers

essidsolutions

In a world threatened by the health crisis, cyber threats are becoming more targeted and disruptive. And hackers and cybercriminals never seem to rest. Researchers at Menlo Security discovered a new phishing trend wherein the attacker uses three CAPTCHAS to get users from the hospitality industry to click malicious links. See how security researchers stopped the credential phishing campaign in its tracks.

Phishing continues to be one of the top cybersecurity concerns for businesses. Though organizations are taking several measures to close the gap, hackers are also seemingly adjusting. Details of a CAPTCHA-based credential phishing campaign uncovered by Menlo Security is a clear sign that cybercriminals are getting sneakier and more sophisticated. 

Palo Alto-headquartered security heavyweight discovered an advanced social engineering-driven phishing campaign that aims to pilfer Microsoft Office 365 user credentials from the hospitality industry through CAPTCHAS.

At its core, CAPTCHAS are challenge–response tests used in computing to discern between human and machine-driven (bot) requests. These security tests determine whether or not requests can be fulfilled by the application on which it is deployed. These tests may be any of the following:

  • Selecting specific objects in an image grid
  • A simple math question (addition, subtraction, multiplication, division)
  • Read and write text string
  • Checkboxes

The prevalence of CAPTCHAS is not a new phenomenon. Since it is implemented on websites and web applications by multiple known companies, their use, even on somewhat obscure websites can signal legitimacy. While the use of CAPTCHAS does not guarantee that a website is legitimate (obviously), the human brain tends to associate the two.

This is exactly how cybercriminals have been thriving with phishing scams. To make phishing attacks more believable, hackers deployed socially engineered landing pages with layers of CAPTCHA-based verification to trick users into taking the phishing bait.

Vinay PidathalaOpens a new window , Director of Security Research at Menlo Security explained, “Two important things are happening here. The first is that the user is made to think that this is a legitimate site, because their cognitive bias has trained them to believe that checks like these appear only on benign websites. The second thing this strategy does is to defeat automated crawling systems attempting to identify phishing attacks.”

See Also: Rise in Phishing Scams Emphasize a Need for AI in Email Security

The attack workflow is designed to circumvent automated security systems, which is the main goal of phishers. It is undeniably a creative way to carry out malicious phishing attacks. Menlo’s iSOC or isolation-powered SOC service, designed specifically for such instances, was able to stop this campaign in its tracks before it could cause untold damages. 

Attack Workflow

This landing page is made to look exactly like the Office 365 login page. It may have red flags such as misspelled website address, creative discrepancies in page design etc., that can be easily missed since the human brain by this point may have been already ‘engineered’ to think the page is legitimate.

Pidathala concludes, “Phishing is the most prevalent attack vector affecting enterprises. These attacks take advantage of our inherent cognitive biases and fool us into entering our credentials. That bias, combined with the tactics used by attackers, make these attacks very successful.”

See Also: Best Practices to Fight Phishing & Strengthen Cybersecurity in COVID-19 Era

Mitigating the Threat from Phishing Attempts

The easiest way to mitigate phishing is by keeping an eye out for the red flags such as the following:

  • Unidentified sender
  • Different web address (Users can find out by hovering the cursor over the link)
  • Misspelled web address
  • Time of sending the email/SMS etc
  • Suspicious attachments
  • Bad punctuation and grammar

Organizations can also deploy SPAM filters, antivirus, web filters, encryption, monitoring tools, 2FA/MFA etc. Attacks do slip past such automated tools, and pose a threat to the entire organization. 

A Webroot study found out that 3 out of 10 workers have clicked a phishing link and that 76% respondents opened an email from an unknown sender.  In case an attack slips past implemented measures, the best bet to thwart phishing attempts is continuous training and keeping individuals updated on recent attack trends and patterns such as the one discovered by Menlo Security.

Prashanth RajivanOpens a new window , Ph.D. & Assistant Professor at the University of Washington said, “By creating a feeling of personal investment in the individuals who make up a company, you encourage the employees to return that feeling of investment toward their workplace. That’s a huge part of ensuring that cybersecurity is part of the culture. Additionally, if we want to enable employees to assess risk properly, we need to cut down on uncertainty and blurring of context lines. That means both educating employees and ensuring we take steps to minimize the ways in which work and personal life get intertwined.”

Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Contact ESSID Solutions

    By clicking Send Message, you agree to our Terms of Use and Privacy Policy.

    Reach out to us for a free consultation on big data consultancy and development services.

    Contact

    Rua Alexandre de Sa Pinto 143
    1300-034 Lisbon
    Portugal

    [email protected] +351927159955
    Privacy Policy Terms of Service Refund and Returns Policy

    © 2024 ESSID SOLUTIONS LDA