Cenzic 232 Patent
Paid Advertising
web application security lab

Malware Solving CAPTCHAs

There’s an interesting link on MSNBC about malware that’s trying to solve CAPTCHAs. Basically it’s using an ruse of a sexy girl who tempts you with nudity if you type in some letters/numbers. The letters/numbers are, of course, to social networking sites, webmail or whatever. Very clever, but also very stupid at the same time.

One thing we’ve seen actually is pretty clever. Malware has the ability to do a lot, including re-writing webpages on the fly. However, the goal isn’t just to re-write some banners (yes, sometimes that is the goal) but sometimes it’s to steal information. And sometimes it makes sense from an attacker’s perspective to ask for an additional piece of information (like a social security number) on a form. What I haven’t seen is adding an additional CAPTCHA to a page, which would be totally invisible to the average user (unlike a stripper on your desktop, which is sort of the opposite of subtle).

7 Responses to “Malware Solving CAPTCHAs”

  1. Generic Says:

    Hun, Interesting idea.
    Of course, subtlety is not very often seen in malware. System Wise (Hey notmalware/exe is using 34.456k!) Or like you stated above, appearance wise “unlike a stripper on your desktop, which is sort of the opposite of subtle”

  2. kuza55 Says:

    That’s actually a pretty good idea…..

    But I still like the idea someone on sla.ckers.org came up with to have a “learn to read” program for kids, where you have them solve CAPTCHAs :p

  3. MustLive Says:

    Guys, no need any malware for solving captchas when there is my Month of Bugs in Captchas ;-). Which has started this month. And there will be a lot of vulnerable captchas.

    November will be the very hot month.

  4. Awesome AnDrEw Says:

    I find it to be an interesting and profitable idea. Never would have thought of something like that.

  5. navairum Says:

    Any new challenges coming up soon?

  6. MustLive Says:

    navairum, there is already new challenge. For all captcha developers - to fix their vulnerable captchas and make reliable ones, and for all administrators of sites - to use more secure captchas.

    Look at craigslist.org CAPTCHA bypass
    http://websecurity.com.ua/1498/

    This guys need more reliable protection.

  7. Niyaz PK Says:

    Captchas were never secure. They are not user-friendly too.
    It is high time we remove captchas from our websites. Read my series of articles on Captchas.