Clicking “I’m not a robot” on an online form may seem harmless enough, but evidence is emerging that cyber criminals are turning their attention to CAPTCHA tests as a new way to redirect users to pages with malicious intent.

Anna Collard, senior vice-president: content atrategy and evangelist for KnowBe4 Africa, says potentially malicious CAPTCHA redirects have been spotted on what should be safe and legitimate web pages, posing a new risk to users and organisations.

CAPTCHA tests, (an acronym for Completely Automated Public Turing test) are designed to tell humans and computers apart. They may simply require a user to check a box stating “I’m not a robot”, or they may require the user to type out distorted characters, check squares containing parts of a picture, or click on similar objects in a picture.

Collard says: “Cyber criminals are not only using CAPTCHAs to mask their phishing sites from security scanners, but it appears they are now also using CAPTCHA redirects in phishing mails and as pop-ups on legitimate websites, to dupe users into clicking on a link and sharing sensitive information.”

ThreatLabZ, the Zscaler threat research team, this year observed a new series of Microsoft-themed phishing attacks aimed at senior employees at multiple organisations. The researchers said the phishing links send the victims to a phony reCAPTCHA page to add legitimacy to the campaign, only then forwarding them to a credential harvesting login portal.

Late last year, a phishing attack was spotted by security researchers at Armorblox, purporting to be from Netflix customer support with a payment issue, and using a CAPTCHA landing page before taking the potential victim to a spoofed Netflix login page.

Cyber criminals are becoming more sophisticated and their techniques harder to spot all the time. The last line of defence is a well-prepared and vigilant user who, through continual security awareness training, is always on the lookout for suspicious email content, links and pop-ups that may be the launching point for the next cyberattack.