Attacks/Breaches
6/20/2012
02:46 PM
Connect Directly
RSS
E-Mail
50%
50%

Hackers Offer Free Porn To Beat Security Checks

Spammers are enticing consumers with free porn or games in exchange for help cracking CAPTCHAs on targeted websites, security researchers say.

Accordingly, any website that relies on Captchas shouldn't make that its only defense against automated attacks or spammers. "Human-based Captcha solving services pose a serious threat to Web security and challenge the whole concept of Captchas," said the report. "They were originally intended to distinguish humans from computers, but now automated software is using actual humans to cheat the test and pass as humans."

For example, Imperva said that it reviewed a Captcha-defeating attack against a Brazilian government agency and saw what appeared to be an attack tool continually requesting refreshes of the security page containing a Captcha challenge. "It seems that the attack tool 'pressed' this button to gather more and more Captcha images, perhaps to create an offline dictionary for future use," said the report. With such a dictionary, the attack tool could take a screenshot of every Captcha, compare it with a dictionary of Captcha images that had been "solved" by humans, and then successfully bypass the Captcha security check.

Another attack detailed by Imperva was made against a Brazilian government agency that handles tax administration, validates the country's social security numbers, and also provides financial information for companies. Documents from this agency are required as a pre-condition to many other services in Brazil, like issuing a passport or getting a loan, according to the report.

To protect the site, the agency uses Captchas, as well as a rate limit, source IP limit--limiting the frequency of connections allowed from a given IP address range--and some other limitations to avoid a denial of service and automated access. But many corporate users--the report cites loan companies, banks, accounting offices, and law firms--actually purchase third-party software to bypass the Captchas and other security mechanisms to help them more rapidly access information about their customers.

Fortunately, attempts to automatically gather Captcha information or defeat such systems can leave telltale signs. For example, these requests often sport unusual rates of access--all originating from the same IP address--or use unusual HTTP headers. Accordingly, these techniques can be identified and used to block or throttle requests from suspect IP addresses. Blacklisting known bad sites and tracking reputation can also be employed to help identify which requests to block outright.

Imperva's report also recommends creating a baseline of normal behavior. "A site can create a profile of legitimate use in terms of rate of access, requested URLs, distribution, traffic volume, geo-location--[an] IP from [the] Ukraine trying to post in a Japanese blog," then require any user exhibiting suspicious behavior to jump through additional security hoops. As with other security tools, in other words, Captchas work best as part of a layered defense.

Security information and event monitoring technology has been available for years, but the information can be hard to mine. In our SIEM Success report, we provide a step-by-step guide to make the most of your SIEM system. (Free registration required.)

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GBARRINGTON196
50%
50%
GBARRINGTON196,
User Rank: Apprentice
6/22/2012 | 11:24:02 AM
re: Hackers Offer Free Porn To Beat Security Checks
The problem with Captcha is creating images that HUMANS can identify! I don't know how many times I've tried to get into a site via Catcha only to be told that what I've typed isn't correct, when clearly it is. And requesting a new Captcha image sometimes helps, and sometimes doesn't. Personally, I hope the computer security community comes up with something better and fast. I hate Captcha.
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/21/2012 | 2:04:14 AM
re: Hackers Offer Free Porn To Beat Security Checks
It sounds to me like traditional text-based CAPTCHAs are close to being dead in terms of effectiveness. I don't know if there is a solution to humans cracking them, but perhaps the use of images or puzzles will make a difference when it comes to some of the tools.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.