Malicious reCAPTCHA Pretending To Be From Google Creates Chaos
Since 1999, Google’s name has resonated to mean “don’t be evil”, with the main goal of collecting all the world’s information and presenting it to everyone in a very digestible way. The search giant has built this good name for two-decades now, as the company celebrates its 20th anniversary this 2019. Of course, with popularity and being a household name and dependable brand in the tech industry, there will be people that will be motivated to name drop Google for their own goals. One such incident is the fake reCAPTCHA scam, causing malware infection that subjects unsuspecting Android users to a phishing attack, without them realizing about it.
“If a request passes through the user-agent filter (i.e the user agent is not Google crawler related) then the PHP code loads a fake Google reCAPTCHA using some static HTML elements and JavaScript. This page does a decent job at replicating the look of Google’s reCAPTCHA, but since it relies on static elements, the images will always be the same unless the malicious PHP file’s coding is changed. It also doesn’t support audio replay, unlike the real version,” explained Luke Leal, Security Analyst at Sucuri, a cybersecurity consulting firm.
The attack is specifically targeting the Android mobile platform, as one of the phishing-loaded trojan horse file it used to propagate is using the .apk format. APK is the package format that installs apps in Android, and by nature is an executable file in an Android device. The other format of the trojan horse is a zip file, hence this enables the malware to also propagate in Windows and even MacOS.
The unique capability of the malware is to anticipate any two-factor authentication attempts from an SMS. It hooks directly to the SMS app, recording the contents of it and also creates a network transfer to its authors. The website owners that distributes this trojan is not aware that their own websites are infected. The problem is not all web owners are programmers or developers themselves to check the actual code that runs their websites. These CMS-using web owners need to coordinate with their webhosting provider, as they have the facility to conduct investigation on the account to make sure it is not storing or hosting malware.
“The malicious directories used in these campaigns are uploaded to a website after it has been compromised. When dealing with this type of malware, it is important to delete the files contained in a complaint., however; we strongly encourage administrators to scan all other existing website files and database for malware as well. You’ll also want to update all of your passwords to prevent the attackers from accessing the environment again,” said Leal.
We at Hacker combat, we wish all web owners to be assured of their site’s security. Hence, we offer a Free Website Malware Scanner, now live in hacker combat. The free website scanner can help website owners determine if their website is still clean or have been injected with malware by someone else. Old version of content management software or plugins can make it vulnerable to malware injection, it is prudent to use a free malware scanner we offer in order to give website owners a fighting chance to determine their site’s security.