Over 2,000 Reports Highlight Phishing Attacks Utilizing Captchas, QR Codes, and Advanced Evasion Techniques Documented by ANY.RUN
Over 2,000 Reports Highlight Phishing Attacks Utilizing Captchas, QR Codes, and Advanced Evasion Techniques Documented by ANY.RUN

Image: Blake Connally (unsplash)

ANY, recognized as an analytical platform specialist for malware research, handles hundreds of thousands of tasks monthly. This operational magnitude positions them to provide prompt insights into contemporary threats and trends in the digital security domain.

In a digital landscape where perpetrators increasingly deploy legitimate tools to lend authenticity to their campaigns, they’ve advanced their strategies. They now incorporate genuine security tools in their deceptive schemes. The said attack kicks off with the classic approach of trying to acquire O365 credentials and utilizes a spam email as the primary medium. Unsuspecting users are tricked into interacting with what seems to be trustworthy software.

Moreover, these malicious credential forms are smartly masked behind CloudFlare’s captcha service. Consequently, this disguise prevents the content from being identified as harmful, allowing emails containing links to this deceptive page to bypass standard spam filters.

But that’s just the tip of the iceberg.

Upon successful captcha completion by a targeted individual, attackers add the user’s email address as a GET parameter. This is followed by initiating a script designed to deduce the domain name linked to the user’s establishment. Armed with this information, a tailored login page is presented, adeptly imitating the user’s genuine login interface.

The unfolding sequence, post the user accessing the login page, resonates with the traditional methods used in credential harvesting. After the unsuspecting user provides their login details, they are met with an error message indicating a mismatch in credentials. Almost immediately, the user is rerouted to an authentic site. Simultaneously, the acquired login data is discreetly transferred to the perpetrator’s Command-and-Control infrastructure.

Such methods further complicate investigative endeavors, especially since several automated sandbox systems aren’t equipped to navigate captcha barriers. This underscores the significance of the interactive feature offered by ANY, enabling users to manually traverse the captcha within the Virtual Machine interface, offering insights into the attack’s intricate details.

At ANY, the gravity of digital security in the current technological era is fully appreciated. A team of seasoned professionals remains committed to rolling out state-of-the-art security solutions, ensuring establishments remain shielded from the ever-evolving spectrum of threats.