[bradleyjkemp]

It's really common now for phishing kits to use interstitial pages that require solving a captcha before the actual phishing content is shown

Victims just click through the captcha without thinking, but it makes automatic verdicting by security scanners a pain because they just see a captcha page: can't tell the brand being impersonated, or even if it's a phishing site

I wrote a post about a number of these which actually pretend to be Cloudflare! https://phish.report/blog/fake-cloudflare-interstitials

[barbazoo]

Interesting! What I was thinking of was use of legitimate captcha integrations (reCAPTCHA, hCaptcha) in front of fake banking websites. Drives me crazy that there isn't an easy avenue to report those.

[bradleyjkemp]

Oh some of them definitely use a real reCAPTCHA, hCAPTCHA, or Turnstile widget. It actually useful sometimes to track the same API key being used across multiple different domains

But yeah, I wouldn't even know where to report those API keys for abuse