Quote:Researchers are warning of an ongoing Office 365 credential-phishing attack that’s targeting the hospitality industry – and using visual CAPTCHAs to avoid detection and appear legitimate.
CAPTCHAs – commonly utilized by websites like LinkedIn and Google – are a type of challenge–response test used to determine whether or not the user is human, such as clicking on the parts of a grid that have a specific object pictured. Cybercriminals have previously utilized CAPTCHAs as a way to defeat automated crawling systems, ensure that a human is interacting with the page and make the phishing landing page appear legitimate.
Though the use of CAPTCHAS in phishing attacks is nothing groundbreaking, this attack shows that the technique works – so much so that the attackers in this campaign used three different CAPTCHA checks on targets, before finally bringing them to the phishing landing page, which poses as a Microsoft Office 365 log-in page.
“Two important things are happening here,” said researchers with Menlo Security, in a post this week. “The first is that the user is made to think that this is a legitimate site, because their cognitive bias has trained them to believe that checks like these appear only on benign websites. The second thing this strategy does is to defeat automated crawling systems attempting to identify phishing attacks.”
Read more: https://threatpost.com/microsoft-office-...as/159747/
![[-]](https://www.geeks.fyi/images/collapse.png)
