CAPTCHA-busting villains branch out from spam into ID theft The cybercrooks attempting to defeat CAPTCHAs are no longer just traditional junk-mailers who want to get around the test to send spam. In a recent study, security researchers have discovered that criminals are also using circumvention techniques in attacks that harvest financial or personal data. A CAPTCHA (Completely …
Great! —I can't wait. It usually takes me about three goes to get the current ones right [and I'm a human!]
My particular favourites are the ones which make no visible distinction between zero and O, or L and I and 1... and it's an added bonus if they don't bother to tell me whether the CAPTCHA is case sensitive or not.
My nomination for best/worst CAPTCHAs was the one where you're expected to enter non-Latin characters... to gain access to an English-language website.
First CAPTCHA was in Hebrew [I clicked "Choose Another"]
Second CAPTCHA was in Greek [I clicked "Choose Another"]
Third CAPTCHA looked Nordic. I opened LibreOffice, did an Insert Special Character, then scrolled down to the "lower-case-letter-'a'-with-a-circle-over-it, clicked it, went back to my blank document, copied that single character into the clipboard, went back to Firefox, and pasted it into the CAPTCHA text area.
are those damnable photos of house numbers and letterboxes that Google have started insinuating into the CAPTCHA process. Occasionally there's even a number actually visible in the photo - but most of the time it's just a photo of a door or a window, with no numbers or letters visible, and whatever you're supposed to type in could be anything.
As a result, when I see those, I resort to 4chan's CAPTCHA-buggering trick of putting a well-known American ethnic slur for dark-skinned people, for the unknown image.
(For those not familiar with this technique: CAPTCHA includes two elements - a known word and an unknown word (or image). The known word is the one that is heavily twisted and distorted; the unknown word is usually less distorted and often appears simply poorly scanned (or is a photo of a house door or something). By putting in the correct answer for the known word and putting in "n****r" for the unknown word you can still pass the CAPTCHA
The upshot of this is that CAPTCHA is being used to translate books into digital format; if enough people type the same racial slur for the unknown words/images then there supposedly exists the 'lulzy' probability of digitised ebooks being released to the public with this word recurring through them, occasioning bad trouble, scandal and heavy fines for the publishers!)
It's difficult not to make CAPTCHAs and/or alternatives too hard, particularly if your website/forum/blog has a mulitlingual user base (where question/answer rules can quickly break down). I've heard good things about animated CAPTCHAs, but, if they do indeed work, they won't work for long given this war of attrition. The sweatshop issue is even harder to beat.
If only wetards wouldn't click on spam - but that's an even bigger battle!
CAPTCHA's no longer pit man against machine - most of them have become so annoying that I often give up - but increasingly man against man but with vastly different incentives. The CAPTCHAs I come across are generally related to getting access to some kind of website service and have little marginal value. Post-submission validation by e-mail seems to work just as well and is far less irritating, but where CAPTCHAs are used to protect identity then the thieves have a far greater incentive to attempt to crack them.
One of Wordpress's best kept secrets is the Akismet ani-spam tool. I run a personal blog, and Aksimet flawlessly separates the spam from the genuine comments without CAPTCHAs, email validation or human intervention.
[Disclaimer: I have no personal association with Wordpress.]
Thing is, sweatshoppers can be literate enough in English to understand the question. The big challenge is beating the sweatshops where the Turing part of the CAPTCHA doesn't really apply (IOW, you're now trying to distinguish a real user from a sweatshopper--man against man; tricky tricky...).
'If they'd stop scanning books....We wouldn't have to answer any more CAPTCHAs."
Whenever I see a photograph as part of a captcha, I *always* answer it incorrectly, and the incorrect answer is *always* accepted as correct.
Because I refuse to be part of Google's "the world is an endless supp\y of free labor for us" policy.
CAPTCHAs are only effective all the time they're not actively targeted - as soon as they receive any unwelcome attention, you're stuffed.
The trick, really, is to make them unique to the content of the site, and this is why anti-spam Q&A are so much more effective, because you can target the Q&A to the site itself, about things that people going to the site would be likely to know, e.g. I know a user who runs a forum about a game called Elements, and naturally, the anti-spam question 'How many elements are there?' means a different number to an Elements player as it would do everyone else - but that's fine.
The multi-lingual problem isn't really a problem either, it's not actually that hard to set things up so there are different questions for users with different languages (assuming you've provided a method by which alternative languages can be selected for guests)
The problem with CAPTCHAs is that ever more intricate methods are being devised - including people wrapping entire simple games around the forms in order to add one-shot values to things for verification - but this is not actually that useful from a user's perspective.
I also recently had an interesting debate with someone who is running campaigns where simple CAPTCHAs are constructed that specifically promote companies. You can only imagine how effective that really is.
Actually, I still monitor my spam on two accounts, and identity theft spam has become the clear leader these days, but most of it is pretty naive, and the author's approach makes him sound quite naive, too. Most of what I'm seeing is actually in the form of 419-style garbage trying to get the suckers to send in various bits of the data needed for the identity theft. The scammers are NOT relying on the CAPTCHA side of it, and it is stupid to shoot there. The spammers simply use those accounts to throw out the bait.
The actual hooks are pointing at accounts on other email systems, mostly Gmail and Yahoo.com.hk, along with some of the minor players like globomail. It is noteworthy that Microsoft (AKA Hotmail and live.com) is clearly NOT favored for the spammers dropboxes. Can't prove it, but I'd wager it is because Microsoft has become fastest at identifying and nuking those accounts before the scammer can reach the suckers. It is possible to fight the spammers more effectively, but Yahoo is too feeble, and either Gmail doesn't care or is too evil. I really hate to give kudos to Microsoft, but they have been leading the upstream war against the spammers, and now it looks like they are leading downstream, too.
Of course, I still want a REAL spam fighting tool that would let me join in making the miserable spammers' lives even more miserable. Something like SpamCop, but on steroids. If you are familiar with SpamCop, you know that it is one round of analysis looking for the spammers' ISP and webhost, and one round of confirmation before sending complaints. What I want would involve several rounds of increasingly refined analysis, going after ALL of the spammers' infrastructure, pursuing ALL of the spammers' accomplices, and even trying to help or protect ALL of the spammers' victims.
Perhaps a few examples would help. An integrated spam-fighting system could focus on unsubscribe mechanisms to identify the legitimate ones from the address harvesters. At a minimum, that would involve some testing with honeypot addresses. A powerful spam-fighting system could notify the owners of valuable brands that there reputations are being abused and even give them an opportunity for legitimate counter-marketing to prove they are on our side against the spammers. The human being in the loop could categorize the spam and help prioritize the serious spam for the rudest responses. I really want the tools to be a first-class spam fighter.
By the way, I actually think it is unfortunate that Cisco owns SpamCop now. Cisco doesn't really care about who creates the need for their hardware. The SpamCop guys are sincere, but they've lost their fire now. In contrast, you would think that the email providers would really care about increasing the value of email--and nothing destroys the value of email more than spam. They should burn with the desire to encourage GOOD email, not spam.
Whoops, forgot two more obvious examples, one related to the original article and the other related to my first example.
As regards the articles, the human intelligence of volunteers can help the spam-fighting system recognize abuse of CAPTCHA systems. Actually, there's another aspect that is key here. The spammers can't obfuscate when they are trying to reach their human suckers. That would defeat themselves, though sometimes it looks like they are having a reverse intelligence test, looking for people who are stupid enough to believe preposterous scams but somehow still capable of owning a bank account.
As regards my own example of the predominance of 419-like scams with dropboxes on other email services, that is obviously something that human beings can help with, though the system can also help during the iterations. For example, the system can test a domain and determine that the address is bogus, and then let the user confirm it. Why bother with the check in that case? For example, a human being might realize that the bogus address is actually slightly obfuscated in a way that a persistent sucker might figure out, and then that human spam fighter could guide the system to the actual dropbox. It would also be useful to sort the non-dropbox address. I can think of cases where the spam includes possibly legitimate addresses to give credibility to the scam, something like customer-support at visa dot com that might help fool a sucker who doesn't notice the Reply-to is pointing to a completely different place. In those sorts of Joe jobs, it's obviously in the strong interest of the legitimate company to help protect their customers from the crooks.
I forgot to mention one other annoying category: External sources that are cited to give credibility to the scam. Usually just news websites, but sometimes such sources as Wikipedia. In cases like that, such a spam-fighting system could help them protect their reputation (and their readers), by helping them quickly add a warning to the target webpage of the URL. Something like a short 419 alert and a link to a page that explains why you shouldn't send any money to the scammers.
Back when being on somebody's blacklist actually mattered, entities like Spamcop et. al. were useful in the fight.
Now, blacklists have no power - when one zombie is blacklisted, a thousand shall rise.
Unless and until there is something to put teeth into an entity like Spamcop - e.g. "We, Google, will use Spamcop's blacklists. Moreover, any ISP that is marked by Spamcop as 'refuses this type of report' shall ALSO be blocked - you don't want to handle spam reports, we don't want to index you, or allow you access to ANY Google services. All your users will see is a 'Your ISP doesn't care about spamming, so we don't care to service you - take it up with them."
That might make a change.
Then again, so would a significant change in the fine structure constant - and that is just about as likely.
Just out of interest:
Which sites are offering this ?
How good is the porn ?
Also, on a related note, why can't we invent PORNCHA (I'll leave it to someone else to work out what the acronym stands for) ? It shows a porn pic and you have to enter what position is being demonstrated (e.g. 'Missionary', 'Reverse Cowgirl', 'Cleveland Steamer' etc.).
This post has been deleted by its author
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
