Logo

Spammers employ stripper to crack CAPTCHAs

In a new striptease game, a beautiful blonde described as “Melissa” promises to remove her clothes, but she doesn't want your money. She's interested in your brain. Really.

melissa02.jpg

The game is in fact a social engineering ploy that crowdsources the brainpower of unsuspecting users to crack so-called CAPTCHAs. The letters stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”. In short, a CAPTCHA is some sort of puzzle that is simple for humans to solve, but hard for computers. The idea behind the CAPTCHA is to prevent automatic computer programs from signing up for online services intended for humans. So-called black hat SEO methods, in particular link spam, depends on automatic computer programs getting access to message boards and free email services.

The striptease exploit is simple enough. The CAPTCHA graphics is picked up from whatever service it is used to protect. It is then combined with the image of buxom “Melissa” and presented to unsuspecting users playing the striptease game. All the game has to do, is to wait for the user to solve the puzzle. When the puzzle is solved, the answer is sent to the malware program that uses the answer to gain access. In the example shown above, the oddly shaped letters is a CAPTCHA from the Yahoo! signup-screen, while the rest of course is supplied by the game.

Source: TrendMicro. TrendMicro found the striptease game as part of a trojan program, but the exploit would work just as well if implemeted as an ordinary stand-alone web page.