To all Web Page/Application Designers, who believe CAPTCHAs will ensure that your pages will remain protected from Web Spammer and Evildoers, take a look at this article from Read/WriteWeb:Spammers Use Striptease to Crack CAPTCHAs:
A virtual stripper named "Melissa" that promises to progressively remove items of clothing for viewers who solve online CAPTCHAs is actually part of a scheme by spammers to crack web site registration traps meant to keep them out, reported security researchers this week.
Every time a user correctly enters the text on a CAPTCHA, the user is rewarded by Melissa removing another item of clothing. The catch is that the CAPTCHAs are being fed from real services, like Yahoo! Mail's signup process. So users looking for a free skin show are actually helping spammers and scammers thwart online security measures that usually keep their robots out.
"They're using human beings in semi-real time to translate CAPTCHAs by proxy," Paul Ferguson, a network architect at Trend Micro, told IDG News. "You have to give them this, it's clever." Certainly it is. Human intelligence has often been used in this way to solve problems that computers struggle with. We've previously reported on the reCAPTCHA system (here), which uses the spam-fighting images to digitize books, and on GalaxyZoo (here), which utilizes human input to identify and categorize galaxies.
According to Trend Micro, the Melissa striptease is part of a Trojan called CAPTCHA.a (Symantec calls it Captchar.a) that attacks Windows PCs. This isn't the first time spammers have employed humans to try to crack CAPTCHAs, said Trend Micro. "Work-at-home money mule schemes run by criminals have hired people to do this same thing," Ferguson told IDG. "They're told to log on to this Web page and type the CAPTCHA. They have a quota."
For now the threat appears to be benign -- used only to register free email accounts to flood chat rooms with unsolicited marketing pitches -- but there is a worry among security researchers that the same technique could be used for something more diabolic, like breaking into financial institution web sites.
I must say the Evil Doers are really getting creative, using porn addicts to assist them in breaking CAPTCHA security. I look for the initial targets to be high value targets, such as banking and other financial institutions as I would tend to believe they might have trouble attracting enough porn addicts to do the translations on a mass scale.
But if I were designing Web Applications, I would look for a substitute for the CAPTCHA security, because I could be wrong.
0 comments:
Post a Comment