Pages

CAPTCHA’s Are Meant to Improve Online Security, But They’re Being Used to Steal Credentials

If you have ever seen a form that you have to fill on a website that requires you to select images that correspond to a particular label, these are CAPTCHAs that are meant to reduce the amount of bot traffic on the internet. They are a very effective tool to use in the fight against bot traffic because of the fact that this is the sort of thing that could potentially end up confusing bots and forcing them to reveal themselves.

With all of that having been said and now out of the way, it is important to note that a number of hackers and other malicious actors have been using reCAPTCHA products offered by Google to start stealing credentials from people. This comes from a report that was recently released by Avanan, one that has highlighted the various security issues that can occur if this type of service falls into the wrong hands with all things having been considered and taken into account.

Scammers are basically using CAPTCHAs as a workaround for spam scanners. These are tools that are meant to prevent them from being able to send emails to their victims in the first place, but by using CAPTCHAs they can trick these scanners, which are bots themselves, into letting them through. Once they get to someone’s inbox, they can send them phishing emails and many of them have tried to get customers to enter their credentials in order to access a PDF that they suggest is rather important.

The thing about Google’s reCAPTCHA product is that it is a widely trusted one, and most scanners would let it through because they assume that it is going to be safe enough to do so. Because your email client is a bot, it would not be able to solve the CAPTCHA and would therefore not get the chance to scan the contents of the email. This is allowing a lot of scams to be performed successfully, which just goes to show that only educating consumers can help keep these scammers at bay and prevent their success.


Read next: 2021 Saw 153% Increase in Phishing and Scam Sites

No comments: