Feeds

Virtual! stripper! game! targets! Yahoo!

Captcha-busting Trojan warning

The essential guide to IT transformation

Spammers have come up with a sleazy - but undoubtedly ingenious - way to defeat anti-spam security checks.

The Captcha Trojan disguises itself as a stripper game that offers voyeurs the chance to see images of a model getting undressed. In order to get "Melissa" to lose an item of clothing, the user must identify the letters or numbers found within a scrambled text image that forms the basis of a captcha (Completely Automated Public Turing test to tell Computers and Humans Apart). Providing users identify the letters correctly, Melissa shows a bit more skin.

Captcha challenge-response systems, which are used to prevent accounts being created until a user correctly identifies letters in an image, are designed to ensure requests are made by a human rather than an automated program. In the case of the Captcha Trojan, the captcha comes from a website hackers wish to sign up to rather than the "game" itself.

So by deciphering the text, voyeurs are unwittingly helping crooks get around checks designed to stop them establishing accounts. These newly-created accounts may later be used to send junk mail or other malign purposes.

Captchas have been used to defeat automatic sign-ups to email accounts by services including Yahoo! Mail and GMail for years. Increasingly hackers have had more success at defeating the approach. For example, the HotLan Trojan has created more than 500,000 spam email accounts with Hotmail, Yahoo! and GMail since its arrival back in July.

Once a webmail account is established, encrypted spam emails are sent from a website onto infected machines. The HotLan Trojan then decrypts these junk emails and sends them to (presumably valid) addresses taken from yet another website. Generally these accounts get shut down following complaints after a few days, but in the meantime spammers have a resource to abuse.

Nice 'n sleazy

The Captcha Trojan represents an evolution in techniques designed to thwart Captcha challenge-response systems. The captchas seen in early versions of the Captcha Trojan program come from the sign-up system used by Yahoo!, according to an analysis of the package by anti-virus firm Trend Micro. "Although various methods of OCR (Optical Character Recognition) are already used to circumvent the CAPTCHA, this social engineering technique is new in that it uses people to unsuspectingly aid a malicious user," writes Trend researcher Roderick Ordoñez.

The virtual stripper game-cum-security-check-defeater most often appears on already infected machines. Even so, its prevalence is low and the few security firms to detect it so far (Trend Micro and Panda) classify it as a low-risk pathogen.

A Yahoo! representative told the BBC that it recognised the need to adapt its capatcha technology to deal with evolving spammer tactics. "Yahoo is continuing to innovate in our defenses against this type of abuse," a statement from the firm said. "We have a number of mechanisms to help us detect and respond to abuse." ®

Next gen security for virtualised datacentres

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
KER-CHING! CryptoWall ransomware scam rakes in $1 MEEELLION
Anatomy of the net's most destructive ransomware threat
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?