The Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA) is a challenge-response test controlled by a computer system used to determine whether the user of such a system is a person or an automatic program. This is one of the most efficient ways to prevent bots from being used on websites in general.

Although Google applied some changes to prevent these attacks, over time new versions of the hack have appeared capable of successfully dodging this popular security mechanism, even managing to develop a proof of concept (PoC) of this scenario.

The code in this PoC became obsolete over time. However, researcher Nikolai Tschacher managed to modify this code to make it useful with the latest version of reCAPTCHA v2 using Google’s own speech and text API. Tschacher gained more than 95% accuracy in his attack.

In 2018 Google released reCAPTCHA v3 in order to improve the user experience, although the researcher mentions that this new version is still backed by reCAPTCHA v2. The expert published a PoC, in addition to explaining the changes made by Google. Various requests for information have been sent to Google, but the company has not mentioned anything about it.

The automatic resolution of CAPTCHA challenges has become a very popular area of research, even free browser extensions have been developed that help users respond to these tests at the push of a button.

The post Solving CAPTCHA challenges through Google’s voice-to-text conversion mechanism appeared first on Information Security Newspaper | Hacking News.

The goal of this attack is to use three CAPTCHA controls to redirect users to a fake Microsoft Office 365 login page.

According to the experts at the Menlo Security firm, threat actors try to make this phishing site look as real as possible, as users often associate CAPTCHA tests with the security of their information. This attack also allows hackers to bypass automated tracking systems that try to locate phishing attacks on the network.

The implementation of multiple CAPTCHA tests is common, because in case the first challenge is defeated, the rest can function as a better security measure, employing different images. In this case, the user is redirected to a second CAPTCHA that requires them to select, for example, all the image tiles that match bikes, followed by a third CAPTCHA that asks them to identify another image.

In the attack, users who pass all CAPTCHA tests implemented by threat actors are redirected to a phishing site disguised as an Office 365 login page, where their credentials will be extracted. Malicious hackers have previously used similar attacks to access Microsoft accounts. Months ago security specialists also detected a phishing campaign using sites disguised as subpoenas delivering site but actually was stealing Office 365 users’ credentials.

According to the researchers, this phishing campaign shows that cybercriminals keep improving their tactics aiming to steal victims’ credentials.

The post Cybercriminals are using CAPTCHA tests to break into enterprise Office 365 accounts appeared first on Information Security Newspaper | Hacking News.

This does not mean that a CAPTCHA is exempt from any security issue. A report from the security company Cofense reports on a new phishing campaign that, using CAPTCHA boxes, hides a fake Microsoft login page.

According to IT system audit experts, operators of this malicious campaign use CAPTCHA to prevent anti-malware analysis on a system from being performed correctly, so it will not be possible to check if a web page was made to extract visitors’ credentials.

Many companies use Secure Email Gateways (SEG) to scan their incoming emails for malware or indications of other attack variants. The point is that SEG is not sophisticated enough to solve a CAPTCHA and, as this is not a known attack variant, SEG vendors do not have adequate protection.

“SEGs cannot scan the malicious page, only the CAPTCHA code site, which does not contain malicious elements, so the SEG tags it as secure content and allows the user to advance,” the IT system audit experts mention. When the recipient of the email resolves the CAPTCHA challenge, they receive a fake Microsoft login page that will record the login credentials to their company accounts.

Specialists detected that the email address from which the phishing link is sent is an avis.ne.jp email account that has been hijacked by campaign operators. The message is intended to be a notification about a voice mail message; both the phishing page and the CAPTCHA used by the attackers are hosted on Microsoft cloud servers.

These kinds of attacks make it difficult for people or automatic scanners to detect that a page is not legitimate. SEG technology typically focuses on the reputation of the domain from which an email is sent; in this case, because the malware is hosted on a Microsoft cloud server, it is easy for attackers to bypass this protective measure.

Experts in IT system audit from the International Institute of Cyber Security (IICS) say they are concerned about the ability of threat actors to reverse techniques normally used against them to take advantage over their victims. In this case they have taken advantage of the use of CAPTCHA, but they have also been shown to be able to exploit HTTPS encryption, cryptographic signatures and other protective measures to interrupt anti-malware analysis.

The post How CAPTCHA is being used to bypass anti malware security scans and firewalls appeared first on Information Security Newspaper | Hacking News.

In this phishing campaign the attackers are impersonating Google in attacks against banking institutions and their users

Network security and ethical hacking specialists from the International Institute of Cyber Security report the emergence of a new phishing campaign that targets online banking users. Campaign operators are impersonating Google to try to get the victim’s access credentials.

The campaign has impacted a banking institution in Poland and its customers. Attackers have passed the raid as a Google reCAPTCHA system and also use blackmail and intimidation for victims to click on malicious links included in emails sent by campaign operators.

The messages that the attackers send contain fake information about recent transactions with a link to a malicious file. In the message, attackers ask the victim to verify the transactions by clicking on the link.

Although so far this campaign does not seem different from any phishing attacks, network security specialists claim that this campaign is easily distinguishable in its second stage. Instead of redirecting the victim to a replica of the legitimate Web site, the victim finds a fake 404 error page.

The page has a number of specifically defined user agents that are limited to Google crawlers. If the request is not related to the Google crawler, in other words, alternative search engines are in use; then the PHP script instead loads a fake Google reCAPTCHA composed of JavaScript and static HTML.

“The page shows a very good replica of Google’s reCAPTCHA. However, because it is based on static elements, the images shown will always be the same, unless the malicious PHP coding is changed”, network security specialists report. “In addition, unlike legitimate reCAPTCHA, it is not compatible with audio playback”.

The browser agent is then re-verified to determine how the victim has visited the page. Once there, users will find a malicious APK reserved for Android users who complete the CAPTCHA and download the payload.

Some samples of this malicious software have already been analyzed. In most cases it can be found in its Android form and can read the status, location and contacts of a mobile device; Scan and send SMS messages, make phone calls, record audio and steal other sensitive information.

According to specialists in network security, some antivirus solutions have detected this Trojan as banker, BankBot, Evo-Gen, Artemis, among other names.

Last January, network security specialists discovered a phishing campaign related to the Anubis Trojan. The specialists discovered two apps in Google Play (a currency converter and energy saving software) loaded with malware ready to be activated as soon as the user interacted with his device.

Finally, the investigators claim that the malware tried to prevent them from resorting to using a sandbox environment using the motion sensor data to detonate their execution.

The post Fake reCAPTCHA hides malware in Android apps appeared first on Information Security Newspaper | Hacking News.

This algorithm has been tested on dozens of websites

Information security experts developed a machine learning algorithm able to break text-based CAPTCHA controls in a very easy and more accurate way than any previously developed method, as reported by specialists in cybersecurity from the International Institute of Cyber Security.

This new algorithm, developed by a team of specialists from the UK and China, is based on the implementation of a Generative Antagonistic Network (GAN), a special class of artificial intelligence algorithms useful in scenarios where the algorithm does not have access to large amounts of data for learning.

According to experts in cybersecurity, a classification machine learning algorithm usually requires millions of data points to train before it can perform a task with the required accuracy degree.

On the other hand, a GAN algorithm has the advantage of being able to work with a much smaller amount of data to start learning thanks to a GAN using a “generative” complement to produce similar data. The generated data points are then fed to a “solver” algorithm that tries to guess the output.

The experts who developed this algorithm applied the same concept to break the CAPTCHA text, which had only been tested with machine learning algorithms that required large amounts of initial data points.

The researchers mentioned that, in a real environment, an attacker would not be able to generate millions of CAPTCHA in real time without being detected or banned from the website. Therefore, for the investigation only 500 text based CAPTCHA present in 32 of the 50 most visited sites according to Amazon’s Alexa were used.

The data list to train the algorithm includes text CAPTCHA from sites like Wikipedia, Microsoft, EBay and Google.

After compiling and training the “solver” to generate 200k “artificial” CAPTCHA, cybersecurity experts tested their algorithms against multiple text CAPTCHA systems used in the network, which had previously also tested other algorithms.

Researchers say that their method managed to solve text CAPTCHA with 100% accuracy when tested in sites such as Megaupload, Blizzard or Authorize.NET. Experts added that the method also proved to be highly accurate in sites like Amazon, PayPal, Yahoo or Slashdot.

In addition to improving accuracy, researchers report that the GAN algorithm’s solver component they developed is also more efficient and inexpensive than any other method to overcome the CAPTCHA. “The algorithm can solve a CAPTCHA in 0.05 seconds using a desktop PC,” researchers say.

The post CAPTCHA is not enough to stop spambots appeared first on Information Security Newspaper | Hacking News.

Hackers are looking for ways to bypass this security measure

The topic is being discussed in multiple hacking forums hosted on deep and dark web. Threat actors have shown special interest in developing projects to bypass the implementation of the Completely Automated Public Turing Test to tell Computers and Humans Apart, most commonly known as CAPTCHA, as reported by researchers specializing in digital forensics and cybersecurity.

According to experts in digital forensics from the International Institute of Cyber Security, the CAPTCHA is designed to stop automated spam online by requiring users to verify text or images that are only recognizable to humans. Popular CAPTCHA uses include minimizing the effectiveness of bots in deploying distributed denial-of-service (DDoS) attacks, creating email accounts, and purchasing event tickets online. Currently, malicious actors who want to automate these activities or other harmful online operations have a great interest in bypassing the CAPTCHA.

Cybersecurity and digital forensics experts recently discovered a series of discussions among malicious hackers about the bypass of CAPTCHA in an English speaking basic-level Search Engine Optimization (SEO) forum. A threat actor raised the question of how to omit CAPTCHA using Python and Selenium scripts, and members responded with various suggested tips and tactics. Common shared recommendations among threat actors included the use of several legitimate and open-source CAPTCHA bypass services, most of which are designed to help people with visual disabilities or dyslexia.

However, analysts also observed two illicit tools for sale that, according to their developers, are able to bypass CAPTCHA. The first tool appears to be a stolen copy of some social media marketing software that automates friends adding, while the second is a type of SEO software frequently abused by threat actors to spread spam by email or in the comment sections of different platforms.

According to its developers, this second tool is able to “decode” more than 400 types of CAPTCHA in its default form, and supposedly can decode even more variants using a plugin sold separately. The analysts responsible for the investigation have not confirmed that neither of the two tools is capable of performing the announced tasks.

The increase in the frequency with which this issue arises in different forums of black hat hacking has been constant since the middle of last year, but so far there seems to be no evidence that these discussions have motivated any new activity in practice.

Since the CAPTCHA is a vital tool in combating the automation of online malicious activities such as DDoS attacks and spam distribution, the possibility of malicious hackers being able to circumvent the CAPTCHA continues to be the reason for discussion among the cybersecurity community.

Given the level of interest this topic has reached in the deep and dark web forums, digital forensic experts predict that threat actors will continue to seek methods to bypass this program. Organizations that use CAPTCHA to defend their websites and networks must be aware of the ongoing efforts of malicious actors to overlook this test, and if these efforts are successful, they must tailor their security tactics to suit the threat levels.

The post Malicious hackers and their interest in bypassing CAPTCHA appeared first on Information Security Newspaper | Hacking News.