Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Dissecting a Phishing Campaign with a Captcha-based URL

In today’s environment, much of the population are doing their banking or financial transactions online with online banking and wire transfers have become a huge necessity. Recently, we received a phishing email that is targeting PayPal accounts that uses a captcha to avoid detection.

The email header contains an alarming subject and the From: address is a spoofed PayPal-like domain.

The Message-Id is also highly suspicious as it uses web hosting site DreamHost which is not related to PayPal.


The body of the email explains that there is a report of an unauthorized activity linked to the PayPal account that has caused PayPal to limit use of the account.


At the end of the email body, it asks the victim to log-in to their Paypal account with a clickable link that leads to a phishing site hxxps://mbj[.]unimap[.]edu[.]my/wp-includes/css/dist/ppllll/

Upon clicking the link in the email, the browser is redirected to an initial page that uses a captcha before proceeding to the final phishing page.


Looking at the source-code of the phishing captcha page, it was inserted with French folklore ‘Bluebeard’ to make the code longer and not get easily detected.


Moreover, the captcha checking in the phishing page is done in the script ‘signin.js’.


This JavaScript file contains several functions dedicated to captcha checking that includes using predefined math methods for checking the length of the string and character matching of the captcha or even to produce a new captcha.


Finally, there is a malicious ‘xscex.js’ that is responsible for the captcha submission.


The id ‘xyssubmitsecx’ under the button tag will trigger the execution of the ‘xscex.js’ which eventually redirects to the actual PayPal phishing site. The button tag also has a value that contains German words “Ich bin kein Roboter” and when translated in English means “I am not a robot”.


Using the Fiddler tool, we can also see the exact resource URL of the malicious js file.


Once the correct captcha has been entered, it will proceed to the final phishing URL redirection that uses the same domain, yet a different path:



Looking closer at the source-code of the actual “log-in” page of PayPal phishing site, we see it also contains some useless salad words. Interestingly, the code indicates an author named ‘morpheous’. We can also see a hex value at the top or beginning of the source-code of the redirected page.


Upon further analysis, we found another file ‘xappx.css’ that checks for hex value in the content of a file that serves as an indicator if the character input or log-in was a success or failure.


Complete infection chain:


 ->  https://mbj[.]unimap[.]edu[.]my/wp-content/ppllll/app/index

                ->  https://mbj[.]unimap[.]edu[.]my/wp-content/ppllll/app/captcha

                                -> hxxps://mbj[.]unimap[.]edu[.]my/wp-includes/css/dist/ppllll/app/signin

Upon investigating the domain hxxps://mbj[.]unimap[.]edu[.]my/, we found that it is a compromised blog site. Using a compromised URLs is a common technique in phishing attacks.

At the time of analysis, we saw about a dozen samples of the PayPal phishing email that contains the same email subject “Your PayPal account is temporarily limited” and contains links to the captcha-based phishing pages. A large number of samples were seen in January and another one sample was spotted in February.


To wrap up, this analysis outlines an example of captcha-based phishing. While using captcha in phishing is not new, there has been a recent uptick in its use. The phishers are gravitating towards captchas to avoid automated phishing page discovery tools. While Trustwave MailMarshal defends against this phishing campaign, this type of obfuscation and evasion to prevent detection has a long tradition among cybercriminals. This is why “defense in depth” and layered security controls are essential.

In the end, our last line of defense is often the user behind the keyboard, which is why ongoing Security Awareness training that includes phishing identification is an essential component for any information security program.

Latest SpiderLabs Blogs

Trustwave SpiderLabs Report: LockBit 3.0 Ransomware Vs. the Manufacturing Sector

As the manufacturing sector continues its digital transformation, Operational Technology (OT), Industrial Control Systems (ICS), and Supervisory Control and Data Acquisition (SCADA) are becoming...

Read More

Overview of the Cyberwarfare used in Israel – Hamas War

On October 7, 2023, the Palestinian organization Hamas launched the biggest attack on Israel in years, resulting in numerous casualties and hostages taken. Israel responded with a large-scale ground...

Read More

The 2023 Retail Services Sector Threat Landscape: A Trustwave Threat Intelligence Briefing

The annual holiday shopping season is poised for a surge in spending, a fact well-known to retailers, consumers, and cybercriminals alike. The latter group, however, is poised to exploit any...

Read More