Inside the Rise of Clone Phishing and CAPTCHA-Based Social Engineering

In our previous two posts, The ABC’s of Ishing and From Lure to Breach, we broke down the foundational tactics used by cybercriminals to deceive users and gain unauthorized access. This follow-up report expands on that foundation by exploring three evolving phishing threats that go beyond traditional email lures: clone phishing, deepfake phishing, and Captcha phishing.

1. Clone phishing

What is clone phishing?

Clone phishing is a technique in which attackers resend a previously legitimate email with malicious links or attachments substituted for the original content. Familiarity with the message significantly increases the likelihood of user interaction.

Real-world attack example

During business email compromise investigations, attackers have cloned genuine invoice and document-sharing emails exchanged between vendors and finance teams. The malicious version often includes minimal changes and a short note explaining the resend.

Attack methodology

• Attackers obtain legitimate emails through mailbox compromise, shared inbox access, forwarding rules, or exposed communications.
• They replicate the message content, layout, and metadata.
• A malicious link or attachment replaces the original.
• The email is sent from a spoofed or compromised address, often framed as an update or correction.

Credibility techniques

Use of authentic branding and formatting. References to prior conversations or expected transactions. Timing delivery when follow-up communication is anticipated.

Distinction from spear phishing

Spear phishing typically involves a newly crafted message. Clone phishing reuses known legitimate content, exploiting familiarity and trust.

Red flags

• Unexpected resends or updates.
• Minor sender address changes or domain variations.
• Links that do not match displayed text.
• Tone inconsistent with the original sender.
• Unexplained urgency.

Prevention

• Include clone phishing scenarios in training.
• Encourage verification of resends and updated files.
• Sandbox attachments and apply zero-trust email handling.
• Provide simple reporting mechanisms for suspected phishing.

Incident response

• Isolate affected accounts or devices.
• Reset credentials and review mailbox rules.
• Scan endpoints and investigate lateral movement.
• Search for similar messages across the organization.

Threat monitoring and hunting

• Monitor for duplicated emails with altered links.
• Detect lookalike domains and sender anomalies.
• Use Bitsight TI to track clone phishing infrastructure and techniques.

2. Deepfake phishing

What is deepfake phishing?

Deepfake phishing uses AI-generated audio or video to impersonate trusted individuals, often executives or business partners. These attacks are commonly paired with traditional phishing or business email compromise tactics.

Threat landscape

Deepfakes target human trust rather than technical controls. Audio impersonation is currently more common and operationally effective than real-time video deepfakes.

Real-world attack examples

• A UK-based energy company suffered financial loss after attackers used AI-generated audio to impersonate a senior executive.
• In Hong Kong, a finance employee was deceived during a video call involving deepfake representations of company leaders, resulting in fraudulent transactions.

Technical details

• Deepfake creation: Attackers use publicly available recordings from interviews, earnings calls, and social media. Tooling is increasingly accessible through open-source projects.
• Attack delivery: Deepfake audio or video is used to reinforce authority and urgency, usually alongside spoofed emails or compromised accounts.

Threat monitoring and prevention

• Detection: Watch for unnatural speech patterns, inconsistent visual cues, or requests that bypass normal approval workflows.
• Authentication: Require secondary verification for sensitive actions regardless of perceived authority.
• Training: Educate employees on deepfake risks and reinforce verification protocols.

Threat hunting and incident response

• Incident response planning: Define procedures for validating executive requests and escalating suspected impersonation quickly.

Impact

• Financial losses can be significant.
• Reputational damage is likely when executives are impersonated.

Future outlook

Deepfake-enabled phishing will continue to evolve, with audio-based impersonation posing the most immediate risk. Organizations must combine process controls, training, and intelligence-led monitoring, including Bitsight TI, to mitigate impact.

3. Captcha phishing

What is Captcha phishing?

Captcha phishing is an emerging social engineering technique where attackers place fake CAPTCHA challenges on phishing pages to increase perceived legitimacy and reduce automated analysis. After completing the CAPTCHA, victims are redirected to credential harvesting pages, malware download sites, or secondary phishing stages.

In most observed campaigns, the CAPTCHA functions as a trust signal and filtering mechanism rather than the payload itself. While some campaigns instruct users to execute commands locally, this is not the dominant pattern.

Real-world attack example

In 2024, several SEO poisoning campaigns directed users searching for popular software to fake download pages protected by CAPTCHA prompts. After verification, victims were redirected to phishing pages or served malware loaders, including credential stealers. Bitsight TI tracking showed these campaigns frequently used newly registered domains hosted on legitimate cloud infrastructure to bypass reputation-based defenses.

Technical details

• Fake CAPTCHA pages: Attackers replicate common CAPTCHA designs and host phishing pages on trusted platforms such as Vercel or Netlify to blend in with legitimate traffic and infrastructure.
• Obfuscation techniques: Malicious JavaScript is commonly obfuscated using Base64 encoding, compression, or simple encryption. Scripts are often decrypted or assembled at runtime to avoid static detection.
• Homoglyph and Unicode abuse: Lookalike characters from non-Latin alphabets and invisible Unicode characters may be used to obscure URLs, variable names, or script behavior. These techniques are supplemental rather than universal.

Threat monitoring

• Indicators of compromise: Monitor for traffic to newly registered domains or suspicious subdomains referencing verification or CAPTCHA workflows. Bitsight TI can help identify emerging infrastructure linked to phishing campaigns abusing trusted hosting services.
• Behavioral analysis: Treat unusual process execution following web activity as a secondary signal. CAPTCHA phishing most often leads to credential submission rather than immediate command execution.

Threat prevention

• User education: Train users to recognize unexpected CAPTCHA prompts outside well-known services, particularly when followed by requests for credentials, downloads, or system actions.
• Multi-layered security: Use endpoint and browser protections that monitor script behavior, credential submission patterns, and suspicious redirects rather than relying solely on CAPTCHA detection.

Threat hunting

• Redirect chain analysis: Analyze full redirect paths to identify CAPTCHA-based gating used to conceal phishing infrastructure.
• Domain monitoring: Track domain age, hosting patterns, and reuse across campaigns using Bitsight TI to surface related activity.

Incident response

• Immediate actions: If CAPTCHA phishing is suspected, review browser activity, isolate affected endpoints if necessary, and assess for credential exposure rather than assuming malware execution.
• Credential security: Enforce multi-factor authentication and password managers to limit impact when credentials are compromised.

Notable malware

• Lumma Stealer: Lumma Stealer has been distributed through phishing and SEO poisoning campaigns that sometimes use CAPTCHA-style gates, though CAPTCHA is not intrinsic to the malware itself.

Conclusion

Captcha phishing primarily exploits user trust and automation gaps rather than technical vulnerabilities. Defenses should focus on redirect analysis, credential protection, and intelligence-driven infrastructure monitoring.

How Bitsight can help

• Intelligence-led phishing detection
  Bitsight Cyber Threat Intelligence (CTI) tracks phishing infrastructure, including clone phishing campaigns, lookalike domains, and CAPTCHA-gated phishing sites. This helps security teams identify active threats earlier and understand how campaigns evolve over time.
   
• Early identification of emerging infrastructure
  Bitsight monitors newly registered domains, suspicious hosting patterns, and abuse of legitimate cloud platforms commonly used in clone phishing and CAPTCHA phishing campaigns, enabling proactive blocking and investigation.
   
• Support for threat hunting and investigations
  Analysts can pivot across domains, IPs, certificates, and observed attacker techniques to uncover related activity, identify campaign overlap, and assess potential organizational exposure.
   
• Context for executive impersonation and deepfake-enabled attacks
  While deepfake phishing targets human trust rather than technical vulnerabilities, Bitsight TI provides insight into supporting infrastructure such as spoofed email domains, compromised vendors, and phishing delivery mechanisms used alongside audio or video impersonation.
   
• Third-party and supply chain risk visibility
  Clone phishing and BEC attacks often originate from compromised vendors or partners. Bitsight helps organizations assess external security posture and identify risky third-party relationships that may introduce phishing exposure.
   
• Incident response and remediation support
  During active incidents, Bitsight intelligence can help responders scope campaigns, search for similar messages or infrastructure across the organization, and prioritize containment actions based on observed attacker behavior.
   
• Strategic reporting and executive awareness
  Bitsight provides clear, actionable intelligence that security leaders can use to brief stakeholders on evolving phishing threats, measure exposure over time, and align training, controls, and response strategies accordingly.