Schneier on Security
A blog covering security and security technology.
« Architecture and Anti-Terrorist Paranoia |
| Good Essay on the No-Joke Zone at Airports »
November 1, 2007
Spammers Using Porn to Break Captchas
Spammers have created a Windows game which shows a woman in a state of undress when people correctly type in text shown in an accompanying image.
The scrambled text images come from sites which use them to stop computers automatically signing up for accounts that can be put to illegal use.
By getting people to type in the text the spammers can take over the accounts and use them to send junk mail.
I've been saying that spammers would start doing this for years. I'm actually surprised it took this long.
Posted on November 1, 2007 at 2:37 PM
• 28 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Aren't there time limits on the captchas? Every time I have to type in scrambled text to post a comment on some blog, there's a limit so tight that I have to type my comment, hit post, wait for the *new* scrambled text to come up, and then type the scrambled text.
It might be possible to transfer the captcha image to another page, put it up, get a response, and get back to the protected page in time to get through, but I doubt it would work very often.
Does the porn unscramble from typing *anything* in, or only after it's confirmed good by getting through the captcha on the target page? In the first case, people are going to catch on and just hit a few random keys. In the second place, if there is a timeout in place, you'd miss it so often that the porn page would be extremely frustrating.
Porn appears to be the closest thing to Star War's "The Force" concept in the real world (or at least on the net). It's a pervasive background influence that can be used by adepts to manipulate reality and behavior (which is the same as reality, on the net) in surprising and near-supernatural ways.
Too bad the dark side has a near monopoly on its use. Perhaps The Porn could be used to make people analyze SETI data, or factor large prime numbers, or something.
Use The Porn, Luke...
...er, make that "...products of large prime numbers..." of course... (sheesh)
The time-limit applies to the game as well. The virus acts as man in the middle except that it shows a new porn picture in case of success.
Even the theoretically perfect captcha is worthless if confronted by a bribed human. Its only benefit is the slow-down that you need to find a human to solve it...
Porn is so hard to come by that people feel the need to fill out a CAPTCHA to get it?! The counter-attack on this technique is obviously to flood the Internet with even more free porn (- as if it needs more).
Once again, Mac users get left behind as the computer gaming industry moves forward...
"Too bad the dark side has a near monopoly on its use. Perhaps The Porn could be used to make people analyze SETI data, or factor large prime numbers, or something."
Though I don't agree with your porn-force comparison, this technique has been in use for good purposes as well.
I happened upon a University of Washington CS presentation on TV talking about a game the presenter has developed that pairs two users together. An image appears on their screens and the game is to type in what you think the other person is typing about the image. It was an example of employing human brain power to the problem of image recognition. They then made the database of information search-able and the results were much more accurate than what you see on modern search engine searches.
They then took it a step further and had one player who would see the picture and the list of most popular responses this image had. The goal was for the player seeing the image to uncover areas of the image that they feel will most likely cause the other player (who only sees what they uncover) to correctly identify the image by typing the tags.
I believe they had a link to a web page where you could play the game, but I can't for the life of me find it. I thought that it was a very interesting concept and brings into focus the largely untapped resource of human computational power.
Genius... pure genius. If only the US could ditch its public hatred of human sexuality. I can see 100,000 real, brutal, human deaths by acts of inexplicable violence on basic cable before I see one female breast, the initial source of life-giving nourishment for our entire species.
A fun game: try to assess the number of psycho-sexual maniacs this type of repression and censorship (of, again, the source of all human life) creates... yay!
MySpace are getting on top of this by watermarking their captchas with the site name. It's the next step to defend against this.
Um, if you can get someone to play a game downloaded from who knows where with a nekkid lady and some jumbled letters, haven't you already won?
@A. C.: There are sites on the net capable of solving that math problem. The ones I've looked currently require restating the formula in a linear more functional form, but I don't believe it's such a huge step using OCR(*) techniques and parsing the standard 2D form into something a solver program could handle.
(*)What's the term when you're recognizing characters from a digital image representation the way OCR does, but when there's no actual optical intermediary?
The novelty is that they were paying people for that, and now, they got people for free.
How much cost a random porn picture taken off the web ?
Tricks can easily be used in eg Bitttorrent for the latest TV show and new release movies
They might be using the porn-induced human response to train a machine learning algorithm to get better at defeating captchas. This would make the time limit irrelevant...
I have a solution. Create Captchas requiring kayboards and mouse at the same time so that you have to keep both hands above the table :-)
@Dave Page: "watermarking CAPTCHAs with the site name"
The trojan will simply add a "image gallery sponsored by $SITENAME" label somewhere within its window.
Hate to burst your bubble Bruce but they HAVE been doing this for years. Various forms exist including free porn downloads in exchange for the visitor filling out the inline captchas, some websites that promise free prizes... just type in the captcha for socalled "security purposes for verification please" and then sending them around and around several websites all linked together and all requiring captchas to be filled, until they get bored and quit. Even some free proxy or anonymous browsing sites use this gambit as well.
I'm told it's very handy for creating new accounts for everywhere from Blogspot to Myspace and beyond. Some people can get thousands of accounts a day this way with a popular enough redirection link pointing at the script. You setup a slew of websites all ranking for various keywords that are otherwise useless for sending affiliate traffic to, and then once the traffic has started building you cloak the site for the search engines and redirect the real visitors to the merry-go-round of captcha filling.
You can even pass through and use the visitors own ip as the account creator if you do it properly, and some scripts are smart enough to check where the ip of the visitor comes from and they can have different captchas from different social networking sites using those visitors, depending on the script writers requirements.
And in response to markm aboves comment it's easy, apparently, to have an automated script with several random variables such as zipcode, name and address etc, and it actually runs in real time, fills the page and submits, much faster than a human can of course. And if the captcha does expire then as normally would happen on the real site a new one is put up for the visitor to fill out, though they don't know it's final intended purpose.
This is only the very tip of this iceberg though, as almost everything else is automated as well, from the harvesting of member id's on the network to sending out friend requests to posting automated comments on those same networks.
The reason all this is done of course is purely to make as many accounts as possible on the social networks because most of them, especially Myspace and Facebook, have become really good at spotting and deleting "fake" accounts, so you need a good system to replace those accounts at as high a rate as possible.
Hope this helps with some of the reasons "why" this is done, and yes I've seen these for years, maybe as many as 6 or 8 years.
Why would watermarking really matter to someone wanting to look at naked women?
It will curb it some, but most people would...simply...not care.
>A fun game: try to assess the number
>of psycho-sexual maniacs this type of
>repression and censorship
The only thing that's sillier then Victorian attitudes towards sex...are the theories that those attitudes create greater evils.
I'm not familiar with non Western Civilization cultures in this regards, nor much before year 1.
But it's hard to argue that "repression and censorship" create sexual excesses when you look at the historical record. Early Christian attitudes towards self-control in sex were developing at a time of pedophilliac Roman Emperors.
What you called "repression and censorship" neither created sexual deviancy, nor was it effective in purging it from human nature.
Hopefully most of the time we strike a reasonable balance to have people exercise free will to control their biological impulses so they don't hurt others, while not being unneccesarily restrictive as a culture.
It is nothing new, look at the commets to the April 10th 2006 post about CAPTCHAs.
Perhaps you should use a software like "TheBrain"
I've heard of torrent sites requiring a Captchas to log in and using it in the same way.
The only secure way to protect data is to pull the cord, hell, thats not even secure, it is stil possible to extract datas, there is no secure way to protect data. So on the other hand there are no secure way to enter data into a system. My blogg's comments need to be approved manually, that is the closest way to secure enter data into systems. I have allways thought captchas is a bad idea, but there is little I can do to usage of it on sites I don't administre though.
I strongly recommend Luis van Ahn's Google Tech Talk on this topic. I felt my IQ rising as I watched it! :)
@Dave Page: "watermarking CAPTCHAs with the site name"
@Paeniteo: The trojan will simply add a "image gallery sponsored by $SITENAME" label somewhere within its window.
What about watermarking CAPTCHAs with another CAPTCHA stating "Use restricted to Google.com" ?
@h: "Use restricted to Google.com"
What's the point? The trojan displays "this game sponsored by google.com".
One might add a "restricted content used under license".
Do you actually believe that users can differentiate betweeb, say, a browser-game hosted on google.com and the trojan that simply states that it is sponsored by (and, therefore, downloaded from) google.com?
Heck, the trojan could also include logos, ad banners and whatever needed to look more authentic. Even a simulated browser address bar is imaginable (conveniently displaying "google.com").
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.