In this phishing campaign the attackers are impersonating Google in attacks against banking institutions and their users

Network security and ethical hacking specialists from the International Institute of Cyber Security report the emergence of a new phishing campaign that targets online banking users. Campaign operators are impersonating Google to try to get the victim’s access credentials.

The campaign has impacted a banking institution in Poland and its customers. Attackers have passed the raid as a Google reCAPTCHA system and also use blackmail and intimidation for victims to click on malicious links included in emails sent by campaign operators.

The messages that the attackers send contain fake information about recent transactions with a link to a malicious file. In the message, attackers ask the victim to verify the transactions by clicking on the link.

Although so far this campaign does not seem different from any phishing attacks, network security specialists claim that this campaign is easily distinguishable in its second stage. Instead of redirecting the victim to a replica of the legitimate Web site, the victim finds a fake 404 error page.

The page has a number of specifically defined user agents that are limited to Google crawlers. If the request is not related to the Google crawler, in other words, alternative search engines are in use; then the PHP script instead loads a fake Google reCAPTCHA composed of JavaScript and static HTML.

“The page shows a very good replica of Google’s reCAPTCHA. However, because it is based on static elements, the images shown will always be the same, unless the malicious PHP coding is changed”, network security specialists report. “In addition, unlike legitimate reCAPTCHA, it is not compatible with audio playback”.

The browser agent is then re-verified to determine how the victim has visited the page. Once there, users will find a malicious APK reserved for Android users who complete the CAPTCHA and download the payload.

Some samples of this malicious software have already been analyzed. In most cases it can be found in its Android form and can read the status, location and contacts of a mobile device; Scan and send SMS messages, make phone calls, record audio and steal other sensitive information.

According to specialists in network security, some antivirus solutions have detected this Trojan as banker, BankBot, Evo-Gen, Artemis, among other names.

Last January, network security specialists discovered a phishing campaign related to the Anubis Trojan. The specialists discovered two apps in Google Play (a currency converter and energy saving software) loaded with malware ready to be activated as soon as the user interacted with his device.

Finally, the investigators claim that the malware tried to prevent them from resorting to using a sandbox environment using the motion sensor data to detonate their execution.

The post Fake reCAPTCHA hides malware in Android apps appeared first on Information Security Newspaper | Hacking News.

Overview

I used a simple nodejs server that serves a form to collect Google reCaptcha response. The caveat is: the browser must have the same hostname as the real website which is achieved by changing the /etc/hosts file or hosting a DNS server.

app.post('/submit', function(req, res) {
  log('info', `Successful Token: ${req.body['g-recaptcha-response']}`);
  const token = req.body['g-recaptcha-response'];
  const timestamp = new Date();
  saveToken(token, timestamp);
  return res.redirect(`${config.remotehost}:${app.get('port')}/harvest`);
});

On the other hand, I am using a browser automation tool to submit a form which is protected by recaptcha. We need g-recaptcha-response in a hidden field. So when the page is loaded, we awaitfor a valid token:

await validToken(pageLoadedTime)

And this then sends a message to all connected harvestors via websocket:

function validToken(pageLoadedTime) {
    wss.broadcast('needtoken');
    return new Promise((resolve, reject) => {
        (function wait() {
            for (let token of tokens)
                if (token.timestamp.getTime() > pageLoadedTime)
                    resolve(token.token);
            setTimeout( wait, 200 );
        })();
    });
}

We use invisible recaptcha on the harvestor page, because its actions can be programmatically triggered.

<div class="g-recaptcha" data-sitekey="<%= sitekey %>" data-callback="sub" data-size="invisible"></div>
<script>
  function sub(){
    document.getElementById("submit").click();
  }
  var wss = new WebSocket("ws://www.hostname.com:8080", "protocolOne");
  wss.onmessage = function (event) {
    if("needtoken" === event.data) {
      grecaptcha.execute();
    } else {
      console.log("CONNECTED");
    }
  }
</script>

Now, there is a way to farm these valid harvestor sessions such that the first 20 or so recaptcha verifications are bypassed. Now the automated browser window has a valid reCaptcha, it needs to fill the hidden field and call the callback function! Great work Google!

return nightmare
.evaluate((key) => {
    document.getElementById("g-recaptcha-response").innerHTML = key;
    checkoutAfterCaptcha();
}, await validToken(pageLoadedTime))
.wait(2000)
.screenshot('ok.png')
.end();

Source:https://rickyhan.com/jekyll/update/2017/11/10/bypassing-recaptcha.html

The post Hacking Google reCaptcha appeared first on Information Security Newspaper | Hacking News.