NEWS FROM THE LAB - Tuesday, November 15, 2005

CAPTCHA spam / phish incident Posted by Era @ 11:33 GMT

We have received reports from a lot of different places that they have received apparent phishing messages, including a couple of Finnish banking sites who have also published phishing alerts.

It appears, though, that these phishing messages are always targeted to the domain of the recipient. In other words, if your address is something@example.com, you would receive a message which looks like it's from example.com, with a subject of "example.com ID: something@example.com", urging you to click on a link in order to verify your account details (if you can make this out from the message ... the samples we have received are so obfuscated as to be nearly unintelligible).

So if you work at a bank, the message would appear to be from your bank, but recipients in other organizations would see a message similarly pretending to be from their own organization. But it's understandable, and prudent of the banks, that they issue alerts.

Example CAPTCHA image

As with most phishing messages, these contain a masqueraded link which looks legitimate, but in fact takes you to another site. If you click on the link in one of these phishing messages, you are redirected to a site which opens up the "real" target site in the main window, but in front of this, it throws up a popup with a CAPTCHA — a distorted image which contains text which you are asked to type into a box. A lot of webmail sites use these to prevent automated systems from registering a large number of free accounts; they hope that deciphering the text in the distorted images will be relatively easy for a human, but hard for a computer.

In this case, it seems that the phisher is merely trying to get unwitting victims to help him crack the CAPTCHAs, apparently in order to be able to register "throwaway" accounts with a particular Russian webmail provider, probably to be used for spamming. Or rather, was trying, because the sites which hosted the popup pages appears to be gone now.