reCaptcha is a new hideout point for the hackers?

Hackers are using Google reCAPTCHA version 3 to hide behind their phishing attacks.

For those who don't know, Captcha is one of the google puzzles that a website asks you to complete to prove whether you are a human being or a robot. I doubt any of us would be a big fan of the unscrambling a distorted graphic, bursting their eyes in the attempt of reading the jumbled letters or selecting only the images of a traffic light.

But again, this lends a hand in preventing automated bots from creating bogus accounts or leaving spammed comments on a website.

Google reCaptcha version 3 has changed the way the Captcha system works. Usually asking you to click on "I'm not a robot" rather than completing the "detecting only the images of the traffic light."

According to the Barracuda researcher, cybercriminals are deploying Google's reCaptcha anti-bot tool for an effort of avoiding early detection of malicious campaigns. Additionally, criminals are using the walls of the reCaptcha for preventing their phishing pages from being scanned by URL scanning services.

Besides this, the researchers claim that the presence of reCaptcha will be reassuring for humans and the phishing site would appear to be more believable.

Barracuda's team indicates the recent phishing campaigns which involved sending over 128,000 email addresses as an example of the technique in operation.

Actual email

The attack included a voicemail notification, which asks the recipients to open the attachment and listen to the voice message that they had missed.

Asking users to complete the "I'm not a robot" task by reCAPTCHA

Originally, the attached file is an HTML file that redirects the users' webpage which contains Google reCaptcha. On the competing reCaptcha, the resulting webpage is redirected to a phishing page, which is portrayed to be the genuine Microsoft login page but designed only to steal passwords.

Microsoft login designed to steal passwords

Keep in mind that the presence of Google reCaptcha doesn't guarantee 100% protections or what it is protecting can be trusted. Additionally, judge before entering any sensitive information.