Just because you have to jump through some hoops (or identify pictures with palm trees in them) doesn’t mean that a website is kosher…:
New research from Barracuda Networks has revealed that cyber-criminals are increasingly using official reCAPTCHA walls to disguise malicious content from email security systems and trick unsuspecting users.
reCAPTCHA walls are typically used to verify human users before allowing access to web content, thus sophisticated scammers are beginning to use the Google-owned service to prevent automated URL analysis systems from accessing the actual content of phishing pages, and to make phishing sites more believable in the eyes of the victim, Barracuda Networks warned.
In fact, the security solutions provider observed a single phishing campaign that sent out 128,000 emails to a variety of organizations and employees using reCAPTCHA walls to conceal fake Microsoft log-in pages. This campaign used the lure of a voicemail receipt to fool users into solving the reCAPTCHA wall before being redirected to the malicious page, with any log-in info entered then sent straight to the scammers.