Given that spammers and phishers are already breaking, bypassing our outsourcing their CAPTCHA breaking needs, the introduction of a DIY (do-it-yourself) model provided confidence in the recognition process is over 80%, was inevitable. The CAPTCHA Bot is a good example of a recently released DIY CAPTCHA breaking service where the users feed their accounts with credits, sets URLs and CAPTCHA's to get recognized. If it were pitched at vendors or anyone out there maintaining a CAPTCHA as a service it would have been a great idea, trouble is, it would be largely abused in its current form. Let's discuss the incentives model. Are developers of CAPTCHAs interested in improving the security of their CAPTCHAs in the form of contests with financial rewards or job propositions for those who dare to break them in a contest form? Not necessarily, and fixing vulnerabilities whenever such appear is done in an "on demand" fashion like we've seen with Vladuz's Ebay CAPTCHA populator. CAPTCHAs at the most popular web services are the gatekeepers of their online reputation, else, the flood of splogs and malware embedded blogs, as well as spam and phishing emails coming from free web based email providers may outpace the current model.
Wednesday, October 03, 2007
DIY CAPTCHA Breaking Service
Given that spammers and phishers are already breaking, bypassing our outsourcing their CAPTCHA breaking needs, the introduction of a DIY (do-it-yourself) model provided confidence in the recognition process is over 80%, was inevitable. The CAPTCHA Bot is a good example of a recently released DIY CAPTCHA breaking service where the users feed their accounts with credits, sets URLs and CAPTCHA's to get recognized. If it were pitched at vendors or anyone out there maintaining a CAPTCHA as a service it would have been a great idea, trouble is, it would be largely abused in its current form. Let's discuss the incentives model. Are developers of CAPTCHAs interested in improving the security of their CAPTCHAs in the form of contests with financial rewards or job propositions for those who dare to break them in a contest form? Not necessarily, and fixing vulnerabilities whenever such appear is done in an "on demand" fashion like we've seen with Vladuz's Ebay CAPTCHA populator. CAPTCHAs at the most popular web services are the gatekeepers of their online reputation, else, the flood of splogs and malware embedded blogs, as well as spam and phishing emails coming from free web based email providers may outpace the current model.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
CISRT Serving Malware
The Chinese Internet Security Response Team is reporting that it has found embedded IFRAMEs serving malware within some of its pages. And despite that the blog itself is now clean, Trend Micro are pointing out that the main index is still IFRAME-ed and that the attackers took advantage of the momentum during China's "Golden Week" holiday.IFRAMEs at the main index lead to :
js.users.51.la/392481.js
51.la/?392481
img.users.51.la/392481.asp
IFRAMEs at the blog used to point to :
mms.nmmmn.com/99913.htm
mms.nmmmn.com/30000.htm
mms.nmmmn.com/11122.htm
and ganbibi.com - where the twenty password stealers for online games located at ads.ganbibi.com/100.exe to ads.ganbibi.com/120.exe in numerical order are still active.
Related posts:
Bank of India Serving Malware
U.S Consulate St. Petersburg Serving Malware
Syrian Embassy in London Serving Malware
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Posts (Atom)