Attacks/Breaches
6/20/2012
02:46 PM
50%
50%

Hackers Offer Free Porn To Beat Security Checks

Spammers are enticing consumers with free porn or games in exchange for help cracking CAPTCHAs on targeted websites, security researchers say.

Want to evade a widely used security defense meant to ensure that a human--rather than an automated attack tool--is requesting access to a website or service? Outsource the interaction to end users in exchange for providing free porn, or pay a nominal fee to freelancers willing to manually log Captcha values.

Both of those strategies, in fact, are now being employed by attackers to help defeat Captcha tests, according to a new report from security firm Imperva, titled "A Captcha in the Rye." (That's a nod to J. D. Salinger's The Catcher In The Rye, in which protagonist Holden Caulfield refers to almost everyone he meets as a "phony.")

The inability of websites to tell whether requests are phony or authentic is an ongoing security problem, as the torrent of spam in many websites' comments sections illustrates. To help stop that spam, among other nuisances or attacks, many websites rely on a Captcha, which stands for Completely Automated Public Turing Test To Tell Computers and Humans Apart. The test is meant to provide a challenge that's easy for a human to solve, but difficult or impossible for a machine to handle.

[ LinkedIn's security breach leads to a class action lawsuit. Read about it here: LinkedIn Security Breach Triggers $5 Million Lawsuit. ]

The traditional Captcha serves up a wavy image that's ostensibly difficult for a machine to process. Other Captcha approaches have involved video, games, and audio--not least to assist visually impaired users.

"Captchas are put in place to protect sites from automation of actions," said Rob Rachwald, director of security strategy at Imperva, in a blog post. Such automation can be used by attackers to seed blogs with comments that include links to malware, to quickly copy large amounts of data from website databases, and to create a large number of fake accounts to trick people into believing that information or links relayed via those accounts--for example, on Facebook, Google+, or Twitter--is legitimate.

Over the years, Captcha builders have continued to refine their technology to try and stay ahead of automated Captcha-guessing tools. Accordingly, some attackers have turned to a more straightforward cracking strategy: outsourcing. "Services like DeCaptcher recruit Captcha solvers from around the world and offer Captcha-solving services as a retailer," reads Imperva's report. "Having many employees allows [a] 24-7 service guarantee while handling massive amounts of Captchas in very little time. At current rates, Captcha solvers get $1 to $3 dollars for solving thousands of Captchas, and are often rewarded (or penalized) according to their speed and achieved percent of accurate responses."

How much does it cost to crack a Captcha? The "Bypass Captcha" service charges $14 per 1,000 Captchas cracked, while "Death by Captcha" charges only $1.39. Meanwhile, other sites do it themselves by offering free games or even porn to site users in exchange for their prowess at solving Captchas, which are copied in from targeted sites. "Instead of paying for a subscription, the user browsing the site gets--every now and then--a pop-up containing a Captcha, which he is required to solve in order to keep enjoying the site or be allowed to see more content," said the report.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/21/2012 | 2:04:14 AM
re: Hackers Offer Free Porn To Beat Security Checks
It sounds to me like traditional text-based CAPTCHAs are close to being dead in terms of effectiveness. I don't know if there is a solution to humans cracking them, but perhaps the use of images or puzzles will make a difference when it comes to some of the tools.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
GBARRINGTON196
50%
50%
GBARRINGTON196,
User Rank: Apprentice
6/22/2012 | 11:24:02 AM
re: Hackers Offer Free Porn To Beat Security Checks
The problem with Captcha is creating images that HUMANS can identify! I don't know how many times I've tried to get into a site via Catcha only to be told that what I've typed isn't correct, when clearly it is. And requesting a new Captcha image sometimes helps, and sometimes doesn't. Personally, I hope the computer security community comes up with something better and fast. I hate Captcha.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

CVE-2014-2716
Published: 2014-12-19
Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 reuses the RC4 cipher stream, which makes it easier for remote attackers to obtain plaintext messages via an XOR operation on two ciphertexts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.