Spammers are enticing consumers with free porn or games in exchange for help cracking CAPTCHAs on targeted websites, security researchers say.

Mathew J. Schwartz, Contributor

June 20, 2012

5 Min Read

Want to evade a widely used security defense meant to ensure that a human--rather than an automated attack tool--is requesting access to a website or service? Outsource the interaction to end users in exchange for providing free porn, or pay a nominal fee to freelancers willing to manually log Captcha values.

Both of those strategies, in fact, are now being employed by attackers to help defeat Captcha tests, according to a new report from security firm Imperva, titled "A Captcha in the Rye." (That's a nod to J. D. Salinger's The Catcher In The Rye, in which protagonist Holden Caulfield refers to almost everyone he meets as a "phony.")

The inability of websites to tell whether requests are phony or authentic is an ongoing security problem, as the torrent of spam in many websites' comments sections illustrates. To help stop that spam, among other nuisances or attacks, many websites rely on a Captcha, which stands for Completely Automated Public Turing Test To Tell Computers and Humans Apart. The test is meant to provide a challenge that's easy for a human to solve, but difficult or impossible for a machine to handle.

[ LinkedIn's security breach leads to a class action lawsuit. Read about it here: LinkedIn Security Breach Triggers $5 Million Lawsuit. ]

The traditional Captcha serves up a wavy image that's ostensibly difficult for a machine to process. Other Captcha approaches have involved video, games, and audio--not least to assist visually impaired users.

"Captchas are put in place to protect sites from automation of actions," said Rob Rachwald, director of security strategy at Imperva, in a blog post. Such automation can be used by attackers to seed blogs with comments that include links to malware, to quickly copy large amounts of data from website databases, and to create a large number of fake accounts to trick people into believing that information or links relayed via those accounts--for example, on Facebook, Google+, or Twitter--is legitimate.

Over the years, Captcha builders have continued to refine their technology to try and stay ahead of automated Captcha-guessing tools. Accordingly, some attackers have turned to a more straightforward cracking strategy: outsourcing. "Services like DeCaptcher recruit Captcha solvers from around the world and offer Captcha-solving services as a retailer," reads Imperva's report. "Having many employees allows [a] 24-7 service guarantee while handling massive amounts of Captchas in very little time. At current rates, Captcha solvers get $1 to $3 dollars for solving thousands of Captchas, and are often rewarded (or penalized) according to their speed and achieved percent of accurate responses."

How much does it cost to crack a Captcha? The "Bypass Captcha" service charges $14 per 1,000 Captchas cracked, while "Death by Captcha" charges only $1.39. Meanwhile, other sites do it themselves by offering free games or even porn to site users in exchange for their prowess at solving Captchas, which are copied in from targeted sites. "Instead of paying for a subscription, the user browsing the site gets--every now and then--a pop-up containing a Captcha, which he is required to solve in order to keep enjoying the site or be allowed to see more content," said the report.

Accordingly, any website that relies on Captchas shouldn't make that its only defense against automated attacks or spammers. "Human-based Captcha solving services pose a serious threat to Web security and challenge the whole concept of Captchas," said the report. "They were originally intended to distinguish humans from computers, but now automated software is using actual humans to cheat the test and pass as humans."

For example, Imperva said that it reviewed a Captcha-defeating attack against a Brazilian government agency and saw what appeared to be an attack tool continually requesting refreshes of the security page containing a Captcha challenge. "It seems that the attack tool 'pressed' this button to gather more and more Captcha images, perhaps to create an offline dictionary for future use," said the report. With such a dictionary, the attack tool could take a screenshot of every Captcha, compare it with a dictionary of Captcha images that had been "solved" by humans, and then successfully bypass the Captcha security check.

Another attack detailed by Imperva was made against a Brazilian government agency that handles tax administration, validates the country's social security numbers, and also provides financial information for companies. Documents from this agency are required as a pre-condition to many other services in Brazil, like issuing a passport or getting a loan, according to the report.

To protect the site, the agency uses Captchas, as well as a rate limit, source IP limit--limiting the frequency of connections allowed from a given IP address range--and some other limitations to avoid a denial of service and automated access. But many corporate users--the report cites loan companies, banks, accounting offices, and law firms--actually purchase third-party software to bypass the Captchas and other security mechanisms to help them more rapidly access information about their customers.

Fortunately, attempts to automatically gather Captcha information or defeat such systems can leave telltale signs. For example, these requests often sport unusual rates of access--all originating from the same IP address--or use unusual HTTP headers. Accordingly, these techniques can be identified and used to block or throttle requests from suspect IP addresses. Blacklisting known bad sites and tracking reputation can also be employed to help identify which requests to block outright.

Imperva's report also recommends creating a baseline of normal behavior. "A site can create a profile of legitimate use in terms of rate of access, requested URLs, distribution, traffic volume, geo-location--[an] IP from [the] Ukraine trying to post in a Japanese blog," then require any user exhibiting suspicious behavior to jump through additional security hoops. As with other security tools, in other words, Captchas work best as part of a layered defense.

Security information and event monitoring technology has been available for years, but the information can be hard to mine. In our SIEM Success report, we provide a step-by-step guide to make the most of your SIEM system. (Free registration required.)

About the Author(s)

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights