PsyOps of Phishing: A Wolf in Shepherd’s Clothing chris May 2, 2025

PsyOps of Phishing: A Wolf in Shepherd’s Clothing

Categories
cloudflare captcha example

I am sure all of us have encountered CAPTCHA while browsing the internet. “Verify you are human”, “I’m not a robot”, “Select all the squares with traffic lights” — it has become a recognized if not begrudging part of our regular interaction with today’s online content. We in part accept this mild inconvenience because we know (hope?) it makes us safer online. We trust the idea that they help prevent bots from spamming and abusing the services we all love. But what happens if the CAPTCHAS we encounter aren’t always what they appear to be? What if cyber-criminals abused our trust of these safeguards to get us to lower our guard and launch attacks all under the illusion of security? You may have already guessed it, but this is exactly what is happening. Fraudsters are conducting psychological operations (psyops) that target the weakest link in any system — us. Social engineering is a form of psyops that targets the users of a system with the intent of exploiting human perception and behavior. Essentially, their goal is to trick legitimate users into taking actions that they might not ordinarily take under normal conditions — such as click on a dodgy link in an email, give a caller their password, or wire money to a “Prince” in Nigeria. In this specific case though, attackers are attempting to subvert our trust in companies whose primary purpose is to provide online security and keep us all safe. But we will get to that, let’s dig in…

THE SETUP

A Twist on a Common Ruse

It all starts with an urgent sounding text message from what appears to be a trusted service provider (package deliver, toll road, the usual suspects) that requires immediate action. “Unusual activity on your account has been detected!” “You have an unpaid toll balance!” “Your package cannot be delivered!” Then they provide a useful link for you to click on that will presumably take you to the site to address this emerging “crisis”. Now, in the most common form of this attack, the link or thumbnail image will take you directly to a cloned phishing page that is impersonating your trusted service, and it will convincingly prompt you to input your credentials. However, doing so will save your login information for attackers to use to access the real site with your info and conduct any sort of fraudulent activity under your account. This is one of the types of attacks that Allure Security sees happening at scale every single day across the internet. Many users have already become wise to this type of scam due to the sheer mind-numbing number of attempts we receive. However, attackers have not used their laurels for resting, instead they are continuously iterating and trying new variations with the hope of catching us off guard. In a recent campaign we investigated, instead of sending users directly to the phishing site, scammers instead would link them to an intermediary resource. If you were unlucky enough to click on this attack you would see something like the following in your browser:

example of a security check

You might glance at this while going about your busy day and think to yourself “at least it’s not one of those ones where you have to click on all the images or type out the impossible to read letters — who has time for that?” before clicking the checkbox feeling good that your choice in service providers is keeping you secure. Or so you think.

THE REVEAL

A Wolf in Shepherd’s Clothing

What is really going on behind the scenes is far from innocuous. What appears to be a “security check” is actually acting as a proxy to another website — a phishing page stealing credentials. If we investigate the source code of the proxy page, we will immediately notice a few red flags:

source code of a proxy page

🚩    First, the full code contains no actual links or included resources you would expect from the well-known security vendor being impersonated. 

🚩    The right-click context menu has been disabled and the key combinations for common shortcuts like developer tools have been intercepted and disabled to slow down any attempts at analysis. Not a common feature of legitimate websites.

specific section of source code

🚩   Investigating the code associated with the “Verify you are human” checkbox reveals an interesting base64 encoded string that is being assigned to a variable targetURL and then decoded and set to the JavaScript property “window.location.href”. This is a property that represents the URL of the current webpage. This technique is commonly used to redirect your browser to another page. The decoded string containing the true destination URL is shown below:

decoded URL string

You may notice the long random looking string appended to the phishing domain in the decoded URL and wonder why it is there. Good instincts! If you were to browse to the URL without including that specific string in your request, you would be automatically redirected to YouTube. Attackers do this intentionally to prevent automated security scanners and researchers from discovering it while keeping the true nature of the site hidden from everyone but it’s intended victims — the recipients of that initial text message. Victims must first click through the fake CAPTCHA site to unlock and gain access to the intended payload.

*Note to Reader:
The phishing site is no longer online due to the efforts of our crack takedown team who had it quickly removed effectively shutting down and disrupting the phishing campaign. Chalk another one up to the good guys!
THE AFTERMATH

Leveling up

We’re now seeing clear evidence of attackers impersonating trusted security vendors—not just donning the disguise of a harmless bystander, but cloaking themselves in the very authority meant to protect. It’s no longer a wolf in sheep’s clothing — it’s a wolf in shepherd’s clothing. Their aim is psychological: to exploit our trust in protective signals by deploying a decoy — a fake CAPTCHA that masks the true destination and intent of their attack.

This is more than just a technical ruse. It’s psychological warfare — a textbook psyop, where adversaries exploit our trust in familiar security signals to bypass our defenses. And unlike simple credential theft, this kind of manipulation targets our instincts, habits, and assumptions.

But here’s the critical insight: If attackers can evolve, so can we.

By analyzing these phishing kits and fraud tactics not just for their payloads but for their psychological framing, we as defenders can start to build countermeasures that address both the technical and human layers of the attack surface. That means designing better user education, fine-tuning detection systems to spot these proxy-layered phishing campaigns, and sharing intelligence to disrupt campaigns early.

At Allure Security, we believe that understanding attacker mindset is key to outmaneuvering them. Every fake CAPTCHA, every encoded redirect, every impersonation attempt is a data point we can use to make defenders stronger. Because in the end, it’s not just about technology — it’s about trust.

So next time you see a “Verify you’re human” checkbox, you might want to ask: Who’s verifying who?

Related Articles