New Office-365 Credential-Phishing Attack, Involving Multiple CAPTCHAs, has the Hospitality Industry Shook!

A recent Office 365 credential-phishing scam has been a topic of concern for quite some time now. The prime target of this attack is the hospitality industry.

This scam employs the use of CAPTCHAs for luring the victims into believing that the entire trick is legitimate.

Well-renowned websites such as Google and LinkedIn use CAPTCHAs regularly. While the use of CAPTCHAs in phishing scams has been a norm for years now, the latest attack showcases the effectiveness of this trick. Moreover, hackers put three different CAPTCHAs before their victims in order for them to land on the phishing landing page. This landing page takes the form of a legitimate Microsoft Office 365 login page.

Menlo Security’s researchers conducted a study on this attack and found two things happening as a part of this trick. Firstly, the abundance of CAPTCHAs gives the impression that the site is secure. Secondly, this move bypasses the automated crawling systems tasked with cracking down on phishing attacks.

As per Vinay Pidathala, Director of Security Research at Menlo Security, the main industries attacked by this scam were tech, insurance, finance, and banking.

As for the use of multiple CAPTCHAs, they act as backups. In case the first one gets caught by the automated systems, others make sure that the attack gets executed successfully.

The first CAPTCHA simply requires the victim to check a box stating “I’m not a robot”. The second one asks them to select a specific number of tiles and the same is the case with the third CAPTCHA. According to researchers, hackers make sure that the CAPTCHAs don’t get repeated.

After going through all these CAPTCHAs, the victim arrives at the landing page, which as mentioned above, appears as an Office 365 login page. Once the victim enters their login credentials, the attackers receive those.

Pidathala mentioned that according to the researchers, the phishing campaign in question might have initiated on September 21, 2020. He also stated that his team’s belief is that even though the campaign should probably still be active, its success rate might have been hindered due to the security vendors working on protecting the users from becoming a target of this attack.

According to the researchers, cybercriminals are continuing to level up their strategies as far as phishing and email-oriented scams are concerned. Researchers have recently identified innovative phishing tactics that involve OAuth2 or similar token-based authorized methods.

Researchers warned people that phishing is the predominant attack vector impacting enterprises. This is due to the fact that this type of scam takes advantage of our cognitive biases to convince us into submitting our login details.

Read next: ESET discovered a new Android spyware that can snoop on users Whatsapp and Telegram data
Previous Post Next Post