Attacks/Breaches
6/20/2012
02:46 PM
50%
50%

Hackers Offer Free Porn To Beat Security Checks

Spammers are enticing consumers with free porn or games in exchange for help cracking CAPTCHAs on targeted websites, security researchers say.

Want to evade a widely used security defense meant to ensure that a human--rather than an automated attack tool--is requesting access to a website or service? Outsource the interaction to end users in exchange for providing free porn, or pay a nominal fee to freelancers willing to manually log Captcha values.

Both of those strategies, in fact, are now being employed by attackers to help defeat Captcha tests, according to a new report from security firm Imperva, titled "A Captcha in the Rye." (That's a nod to J. D. Salinger's The Catcher In The Rye, in which protagonist Holden Caulfield refers to almost everyone he meets as a "phony.")

The inability of websites to tell whether requests are phony or authentic is an ongoing security problem, as the torrent of spam in many websites' comments sections illustrates. To help stop that spam, among other nuisances or attacks, many websites rely on a Captcha, which stands for Completely Automated Public Turing Test To Tell Computers and Humans Apart. The test is meant to provide a challenge that's easy for a human to solve, but difficult or impossible for a machine to handle.

[ LinkedIn's security breach leads to a class action lawsuit. Read about it here: LinkedIn Security Breach Triggers $5 Million Lawsuit. ]

The traditional Captcha serves up a wavy image that's ostensibly difficult for a machine to process. Other Captcha approaches have involved video, games, and audio--not least to assist visually impaired users.

"Captchas are put in place to protect sites from automation of actions," said Rob Rachwald, director of security strategy at Imperva, in a blog post. Such automation can be used by attackers to seed blogs with comments that include links to malware, to quickly copy large amounts of data from website databases, and to create a large number of fake accounts to trick people into believing that information or links relayed via those accounts--for example, on Facebook, Google+, or Twitter--is legitimate.

Over the years, Captcha builders have continued to refine their technology to try and stay ahead of automated Captcha-guessing tools. Accordingly, some attackers have turned to a more straightforward cracking strategy: outsourcing. "Services like DeCaptcher recruit Captcha solvers from around the world and offer Captcha-solving services as a retailer," reads Imperva's report. "Having many employees allows [a] 24-7 service guarantee while handling massive amounts of Captchas in very little time. At current rates, Captcha solvers get $1 to $3 dollars for solving thousands of Captchas, and are often rewarded (or penalized) according to their speed and achieved percent of accurate responses."

How much does it cost to crack a Captcha? The "Bypass Captcha" service charges $14 per 1,000 Captchas cracked, while "Death by Captcha" charges only $1.39. Meanwhile, other sites do it themselves by offering free games or even porn to site users in exchange for their prowess at solving Captchas, which are copied in from targeted sites. "Instead of paying for a subscription, the user browsing the site gets--every now and then--a pop-up containing a Captcha, which he is required to solve in order to keep enjoying the site or be allowed to see more content," said the report.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GBARRINGTON196
50%
50%
GBARRINGTON196,
User Rank: Apprentice
6/22/2012 | 11:24:02 AM
re: Hackers Offer Free Porn To Beat Security Checks
The problem with Captcha is creating images that HUMANS can identify! I don't know how many times I've tried to get into a site via Catcha only to be told that what I've typed isn't correct, when clearly it is. And requesting a new Captcha image sometimes helps, and sometimes doesn't. Personally, I hope the computer security community comes up with something better and fast. I hate Captcha.
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/21/2012 | 2:04:14 AM
re: Hackers Offer Free Porn To Beat Security Checks
It sounds to me like traditional text-based CAPTCHAs are close to being dead in terms of effectiveness. I don't know if there is a solution to humans cracking them, but perhaps the use of images or puzzles will make a difference when it comes to some of the tools.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-5084
Published: 2015-08-02
The Siemens SIMATIC WinCC Sm@rtClient and Sm@rtClient Lite applications before 01.00.01.00 for Android do not properly store passwords, which allows physically approximate attackers to obtain sensitive information via unspecified vectors.

CVE-2015-5352
Published: 2015-08-02
The x11_open_helper function in channels.c in ssh in OpenSSH before 6.9, when ForwardX11Trusted mode is not used, lacks a check of the refusal deadline for X connections, which makes it easier for remote attackers to bypass intended access restrictions via a connection outside of the permitted time ...

CVE-2015-5537
Published: 2015-08-02
The SSL layer of the HTTPS service in Siemens RuggedCom ROS before 4.2.0 and ROX II does not properly implement CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a different vulnerability than CVE-2014-3566.

CVE-2015-5600
Published: 2015-08-02
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumptio...

CVE-2015-1009
Published: 2015-07-31
Schneider Electric InduSoft Web Studio before 7.1.3.5 Patch 5 and Wonderware InTouch Machine Edition through 7.1 SP3 Patch 4 use cleartext for project-window password storage, which allows local users to obtain sensitive information by reading a file.

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!