Strip CAPTCHA Spam

By | October 30, 2007

TROJ_CAPTCHAR.A screenshot

Whatever useful stuff the good guys come up with, the bad guys ain’t far behind. A few months back I wrote about researchers at Carnegie Mellon coming up with a way to use CAPTCHA tools to help decipher words in text by the Internet Archive. The basic idea is that the effort to prevent spammers and others automating their intrusion into websites (signing up for stuff, comment spam etc) should not be wasted.

Now a sleazeball has found a way to do the same thing: get folk to decipher CAPTCHA texts through a small program, delivered by Trojan, that offers striptease in exchange for guessing the texts correctly (Trend Micro, via via Seth Godin):

A nifty little program which Trend Micro detects as TROJ_CAPTCHAR.A disguises itself as a strip-tease game, wherein a scantily-clad “Melissa” agrees to take off a little bit of her clothing. However, for her to strut her stuff, users must identify the letters hidden within a CAPTCHA. Input the letters correctly, press “go” and “Melissa” reveals more of herself.

However, the “answers” are then sent to a remote server, where a malicious user eagerly awaits them. The “strip-tease” game is actually a ploy by ingenious malware authors to identify and match ambiguous CAPTCHA images from legitimate sites, using the unsuspecting user as the decoder of the said image.

As Trend Micro points out, the CAPTCHAs in this case are from Yahoo! Web site, suggesting that a spammer is building up Yahoo! accounts.

CAPTCHA Wish Your Girlfriend Was Hot Like Me? – TrendLabs | Malware Blog – by Trend Micro

Technorati Tags: , , ,

3 thoughts on “Strip CAPTCHA Spam

  1. Michel S.

    CAPTCHAs ought to have watermarks that identify where they are supposed to be displayed — that way people would at least be aware that their answers might be misused.

  2. Danny

    Well, having built a a little blog engine (just to know how it feels), I found a method way easier than including a CAPTCHA and playing with php libraries and so on.

    And I guess it’s even more reliable.

    Instead of a picture, you can generate a simple question that require an all letters written answer.

    Like : What is the result of three plus three ?

    Just fill in “six”, and you are good to go. A simple algorythm can generate more questions from an array.

    Various solution actually exist to replace the captcha, just try them out.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.