CAPTCHA and Social Engineering
CAPTCHA is the bane of spammers who use bots to register email addresses and submit comments right? Wrong. Whenever there’s a problem, there would inevitably be a solution. And for CAPTCHA, spammers have found an innovative way of getting past the cryptic images for verification (sometimes too cryptic that legitimate users cannot decipher them!).
It’s all about social engineering, of course. Loose Wire alerts us to the Strip CAPTCHA trojan, which attacks unknowing perverts individuals. It’s simple: decipher the code, and the young lady will show some skin. Now who wouldn’t be interested in deciphering the CAPTCHA code with that?
The images above were hotlinked from Trend Micro (thanks guys!) who have issued a warning about this kind of social engineering ploy.
A nifty little program which Trend Micro detects as TROJ_CAPTCHAR.A disguises itself as a strip-tease game, wherein a scantily-clad “Melissa” agrees to take off a little bit of her clothing. However, for her to strut her stuff, users must identify the letters hidden within a CAPTCHA. Input the letters correctly, press “go” and “Melissa” reveals more of herself.However, the “answers” are then sent to a remote server, where a malicious user eagerly awaits them. The “strip-tease” game is actually a ploy by ingenious malware authors to identify and match ambiguous CAPTCHA images from legitimate sites, using the unsuspecting user as the decoder of the said image.
Where there’s a will, there’s a way. And when there’s a way, there would be unsuspecting people who would be stupid enough play your game.
The CAPTCHA “game” being discussed by Trend Micro doesn’t relate directly with blogging, though. Most blogs these days use passive forms of spam-catching, such as Akismet and comment moderation. Still, this means we bloggers shouldn’t be complacent with securing our systems from spam attacks and other intrusions.
What do you think?