Attacks/Breaches
6/20/2012
02:46 PM
50%
50%

Hackers Offer Free Porn To Beat Security Checks

Spammers are enticing consumers with free porn or games in exchange for help cracking CAPTCHAs on targeted websites, security researchers say.

Want to evade a widely used security defense meant to ensure that a human--rather than an automated attack tool--is requesting access to a website or service? Outsource the interaction to end users in exchange for providing free porn, or pay a nominal fee to freelancers willing to manually log Captcha values.

Both of those strategies, in fact, are now being employed by attackers to help defeat Captcha tests, according to a new report from security firm Imperva, titled "A Captcha in the Rye." (That's a nod to J. D. Salinger's The Catcher In The Rye, in which protagonist Holden Caulfield refers to almost everyone he meets as a "phony.")

The inability of websites to tell whether requests are phony or authentic is an ongoing security problem, as the torrent of spam in many websites' comments sections illustrates. To help stop that spam, among other nuisances or attacks, many websites rely on a Captcha, which stands for Completely Automated Public Turing Test To Tell Computers and Humans Apart. The test is meant to provide a challenge that's easy for a human to solve, but difficult or impossible for a machine to handle.

[ LinkedIn's security breach leads to a class action lawsuit. Read about it here: LinkedIn Security Breach Triggers $5 Million Lawsuit. ]

The traditional Captcha serves up a wavy image that's ostensibly difficult for a machine to process. Other Captcha approaches have involved video, games, and audio--not least to assist visually impaired users.

"Captchas are put in place to protect sites from automation of actions," said Rob Rachwald, director of security strategy at Imperva, in a blog post. Such automation can be used by attackers to seed blogs with comments that include links to malware, to quickly copy large amounts of data from website databases, and to create a large number of fake accounts to trick people into believing that information or links relayed via those accounts--for example, on Facebook, Google+, or Twitter--is legitimate.

Over the years, Captcha builders have continued to refine their technology to try and stay ahead of automated Captcha-guessing tools. Accordingly, some attackers have turned to a more straightforward cracking strategy: outsourcing. "Services like DeCaptcher recruit Captcha solvers from around the world and offer Captcha-solving services as a retailer," reads Imperva's report. "Having many employees allows [a] 24-7 service guarantee while handling massive amounts of Captchas in very little time. At current rates, Captcha solvers get $1 to $3 dollars for solving thousands of Captchas, and are often rewarded (or penalized) according to their speed and achieved percent of accurate responses."

How much does it cost to crack a Captcha? The "Bypass Captcha" service charges $14 per 1,000 Captchas cracked, while "Death by Captcha" charges only $1.39. Meanwhile, other sites do it themselves by offering free games or even porn to site users in exchange for their prowess at solving Captchas, which are copied in from targeted sites. "Instead of paying for a subscription, the user browsing the site gets--every now and then--a pop-up containing a Captcha, which he is required to solve in order to keep enjoying the site or be allowed to see more content," said the report.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/21/2012 | 2:04:14 AM
re: Hackers Offer Free Porn To Beat Security Checks
It sounds to me like traditional text-based CAPTCHAs are close to being dead in terms of effectiveness. I don't know if there is a solution to humans cracking them, but perhaps the use of images or puzzles will make a difference when it comes to some of the tools.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
GBARRINGTON196
50%
50%
GBARRINGTON196,
User Rank: Apprentice
6/22/2012 | 11:24:02 AM
re: Hackers Offer Free Porn To Beat Security Checks
The problem with Captcha is creating images that HUMANS can identify! I don't know how many times I've tried to get into a site via Catcha only to be told that what I've typed isn't correct, when clearly it is. And requesting a new Captcha image sometimes helps, and sometimes doesn't. Personally, I hope the computer security community comes up with something better and fast. I hate Captcha.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9651
Published: 2015-08-28
Buffer overflow in CHICKEN 4.9.0.x before 4.9.0.2, 4.9.x before 4.9.1, and before 5.0 allows attackers to have unspecified impact via a positive START argument to the "substring-index[-ci] procedures."

CVE-2015-1171
Published: 2015-08-28
Stack-based buffer overflow in GSM SIM Utility (aka SIM Card Editor) 6.6 allows remote attackers to execute arbitrary code via a long entry in a .sms file.

CVE-2015-2987
Published: 2015-08-28
Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.

CVE-2015-6266
Published: 2015-08-28
The guest portal in Cisco Identity Services Engine (ISE) 3300 1.2(0.899) does not restrict access to uploaded HTML documents, which allows remote attackers to obtain sensitive information from customized documents via a direct request, aka Bug ID CSCuo78045.

CVE-2015-6267
Published: 2015-08-28
Cisco IOS XE before 2.2.3 on ASR 1000 devices allows remote attackers to cause a denial of service (Embedded Services Processor crash) via a crafted L2TP packet, aka Bug IDs CSCsw95722 and CSCsw95496.

Dark Reading Radio
Archived Dark Reading Radio
Another Black Hat is in the books and Dark Reading was there. Join the editors as they share their top stories, biggest lessons, and best conversations from the premier security conference.