Attacks/Breaches
6/20/2012
02:46 PM
50%
50%

Hackers Offer Free Porn To Beat Security Checks

Spammers are enticing consumers with free porn or games in exchange for help cracking CAPTCHAs on targeted websites, security researchers say.

Accordingly, any website that relies on Captchas shouldn't make that its only defense against automated attacks or spammers. "Human-based Captcha solving services pose a serious threat to Web security and challenge the whole concept of Captchas," said the report. "They were originally intended to distinguish humans from computers, but now automated software is using actual humans to cheat the test and pass as humans."

For example, Imperva said that it reviewed a Captcha-defeating attack against a Brazilian government agency and saw what appeared to be an attack tool continually requesting refreshes of the security page containing a Captcha challenge. "It seems that the attack tool 'pressed' this button to gather more and more Captcha images, perhaps to create an offline dictionary for future use," said the report. With such a dictionary, the attack tool could take a screenshot of every Captcha, compare it with a dictionary of Captcha images that had been "solved" by humans, and then successfully bypass the Captcha security check.

Another attack detailed by Imperva was made against a Brazilian government agency that handles tax administration, validates the country's social security numbers, and also provides financial information for companies. Documents from this agency are required as a pre-condition to many other services in Brazil, like issuing a passport or getting a loan, according to the report.

To protect the site, the agency uses Captchas, as well as a rate limit, source IP limit--limiting the frequency of connections allowed from a given IP address range--and some other limitations to avoid a denial of service and automated access. But many corporate users--the report cites loan companies, banks, accounting offices, and law firms--actually purchase third-party software to bypass the Captchas and other security mechanisms to help them more rapidly access information about their customers.

Fortunately, attempts to automatically gather Captcha information or defeat such systems can leave telltale signs. For example, these requests often sport unusual rates of access--all originating from the same IP address--or use unusual HTTP headers. Accordingly, these techniques can be identified and used to block or throttle requests from suspect IP addresses. Blacklisting known bad sites and tracking reputation can also be employed to help identify which requests to block outright.

Imperva's report also recommends creating a baseline of normal behavior. "A site can create a profile of legitimate use in terms of rate of access, requested URLs, distribution, traffic volume, geo-location--[an] IP from [the] Ukraine trying to post in a Japanese blog," then require any user exhibiting suspicious behavior to jump through additional security hoops. As with other security tools, in other words, Captchas work best as part of a layered defense.

Security information and event monitoring technology has been available for years, but the information can be hard to mine. In our SIEM Success report, we provide a step-by-step guide to make the most of your SIEM system. (Free registration required.)

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GBARRINGTON196
50%
50%
GBARRINGTON196,
User Rank: Apprentice
6/22/2012 | 11:24:02 AM
re: Hackers Offer Free Porn To Beat Security Checks
The problem with Captcha is creating images that HUMANS can identify! I don't know how many times I've tried to get into a site via Catcha only to be told that what I've typed isn't correct, when clearly it is. And requesting a new Captcha image sometimes helps, and sometimes doesn't. Personally, I hope the computer security community comes up with something better and fast. I hate Captcha.
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/21/2012 | 2:04:14 AM
re: Hackers Offer Free Porn To Beat Security Checks
It sounds to me like traditional text-based CAPTCHAs are close to being dead in terms of effectiveness. I don't know if there is a solution to humans cracking them, but perhaps the use of images or puzzles will make a difference when it comes to some of the tools.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.