Attacks/Breaches
6/20/2012
02:46 PM
Connect Directly
RSS
E-Mail
50%
50%

Hackers Offer Free Porn To Beat Security Checks

Spammers are enticing consumers with free porn or games in exchange for help cracking CAPTCHAs on targeted websites, security researchers say.

Want to evade a widely used security defense meant to ensure that a human--rather than an automated attack tool--is requesting access to a website or service? Outsource the interaction to end users in exchange for providing free porn, or pay a nominal fee to freelancers willing to manually log Captcha values.

Both of those strategies, in fact, are now being employed by attackers to help defeat Captcha tests, according to a new report from security firm Imperva, titled "A Captcha in the Rye." (That's a nod to J. D. Salinger's The Catcher In The Rye, in which protagonist Holden Caulfield refers to almost everyone he meets as a "phony.")

The inability of websites to tell whether requests are phony or authentic is an ongoing security problem, as the torrent of spam in many websites' comments sections illustrates. To help stop that spam, among other nuisances or attacks, many websites rely on a Captcha, which stands for Completely Automated Public Turing Test To Tell Computers and Humans Apart. The test is meant to provide a challenge that's easy for a human to solve, but difficult or impossible for a machine to handle.

[ LinkedIn's security breach leads to a class action lawsuit. Read about it here: LinkedIn Security Breach Triggers $5 Million Lawsuit. ]

The traditional Captcha serves up a wavy image that's ostensibly difficult for a machine to process. Other Captcha approaches have involved video, games, and audio--not least to assist visually impaired users.

"Captchas are put in place to protect sites from automation of actions," said Rob Rachwald, director of security strategy at Imperva, in a blog post. Such automation can be used by attackers to seed blogs with comments that include links to malware, to quickly copy large amounts of data from website databases, and to create a large number of fake accounts to trick people into believing that information or links relayed via those accounts--for example, on Facebook, Google+, or Twitter--is legitimate.

Over the years, Captcha builders have continued to refine their technology to try and stay ahead of automated Captcha-guessing tools. Accordingly, some attackers have turned to a more straightforward cracking strategy: outsourcing. "Services like DeCaptcher recruit Captcha solvers from around the world and offer Captcha-solving services as a retailer," reads Imperva's report. "Having many employees allows [a] 24-7 service guarantee while handling massive amounts of Captchas in very little time. At current rates, Captcha solvers get $1 to $3 dollars for solving thousands of Captchas, and are often rewarded (or penalized) according to their speed and achieved percent of accurate responses."

How much does it cost to crack a Captcha? The "Bypass Captcha" service charges $14 per 1,000 Captchas cracked, while "Death by Captcha" charges only $1.39. Meanwhile, other sites do it themselves by offering free games or even porn to site users in exchange for their prowess at solving Captchas, which are copied in from targeted sites. "Instead of paying for a subscription, the user browsing the site gets--every now and then--a pop-up containing a Captcha, which he is required to solve in order to keep enjoying the site or be allowed to see more content," said the report.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/21/2012 | 2:04:14 AM
re: Hackers Offer Free Porn To Beat Security Checks
It sounds to me like traditional text-based CAPTCHAs are close to being dead in terms of effectiveness. I don't know if there is a solution to humans cracking them, but perhaps the use of images or puzzles will make a difference when it comes to some of the tools.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
GBARRINGTON196
50%
50%
GBARRINGTON196,
User Rank: Apprentice
6/22/2012 | 11:24:02 AM
re: Hackers Offer Free Porn To Beat Security Checks
The problem with Captcha is creating images that HUMANS can identify! I don't know how many times I've tried to get into a site via Catcha only to be told that what I've typed isn't correct, when clearly it is. And requesting a new Captcha image sometimes helps, and sometimes doesn't. Personally, I hope the computer security community comes up with something better and fast. I hate Captcha.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0485
Published: 2014-09-02
S3QL 1.18.1 and earlier uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object in (1) common.py or (2) local.py in backends/.

CVE-2014-3861
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.

CVE-2014-3862
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

CVE-2014-5076
Published: 2014-09-02
The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework.

CVE-2014-5136
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in Innovative Interfaces Sierra Library Services Platform 1.2_3 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.