JavaScript and Captcha Obfuscation

March 10 2025

By Rikesh Vekaria

Obfuscation Techniques

Rikesh Vekaria and Mimecast threat researchers have recently identified that threat operators are evolving their phishing tactics by implementing anti-analysis measures within CAPTCHA pages to evade detection and prevent investigation by security professionals. This builds on research from security researchers at Juniper Labs who identified two primary CAPTCHA-based phishing approaches being utilized. The first involves compromising legitimate domains with actual CAPTCHA implementations, while the second involves creating fake CAPTCHA pages that convincingly mimic legitimate Cloudflare turnstile interfaces. Both methods serve as an effective gateway to credential harvesting pages.

What makes these campaigns particularly concerning is the implementation of advanced evasion techniques specifically designed to thwart security analysis. Attackers have added code that actively prevents both automated security tools and manual investigation by security professionals.

This sophisticated approach involves the detection of headless browsers, web scraping tools, and security scanning platforms. When such tools are identified, the page redirects to an innocuous page, effectively avoiding scrutiny by automated security systems. In recent detections analyzed by our threat research team, the highlighted code shows redirection to a blank page, potentially fooling initial human analysis.

One interesting aspect discovered involves keyboard and mouse interaction prevention, with malicious CAPTCHA pages including JavaScript that disables right-click functionality and blocks keyboard shortcuts commonly used for inspection (F12, Ctrl+Shift+I, Ctrl+U).

From the end user's perspective, the attack flow appears legitimate. They receive a phishing email with a link to what appears to be a standard CAPTCHA verification page requiring a simple checkbox interaction. Upon completing this seemingly routine verification, they're redirected to a credential harvesting page, typically mimicking Microsoft login screens. The credentials are then captured and exfiltrated to the attacker.

This technique is particularly effective because it adds a seemingly legitimate human verification step that creates a false sense of security. Most users are accustomed to CAPTCHA challenges and don't recognize them as potential security threats. Meanwhile, the anti-analysis measures prevent security teams from easily examining the page content.

This evolution in phishing tactics demonstrates how threat actors continue to refine their techniques to evade detection. The implementation of anti-analysis measures specifically targeting security professionals shows a sophisticated understanding of defensive methodologies and a deliberate attempt to complicate incident response.

Targets:

Global

Recommendations

As a security analyst we recommend the following steps to analyze any potential pages.

• Utilise sandboxing services like Urlscan.io to analyze the Document Object Model (DOM) of the page
• When looking for fake CAPTCHA pages which typically use javascript, key areas to look for are:
  • Code that specifies keyboard shortcuts could indicate attempts to manipulate user interactions.
  • Analyse how the page redirects users. Complex or unnecessary redirects can be a sign of obfuscation.
  • Checking where requests are coming from and how they are redirected
  • Heavy JavaScript obfuscation to hide their true functionality
• Compare with legitimate CAPTCHA pages looking at:
  • Key HTML tags: Identify essential tags that are commonly used in authentic CAPTCHA implementations.
  • JavaScript libraries: Check for the presence of standard libraries or frameworks that legitimate CAPTCHA services use