Cenzic 232 Patent
Paid Advertising
web application security lab
« WebAppSec Webinar
More Expect Exploitation In Flash »

Malware Solving CAPTCHAs

There’s an interesting link on MSNBC about malware that’s trying to solve CAPTCHAs. Basically it’s using an ruse of a sexy girl who tempts you with nudity if you type in some letters/numbers. The letters/numbers are, of course, to social networking sites, webmail or whatever. Very clever, but also very stupid at the same time.

One thing we’ve seen actually is pretty clever. Malware has the ability to do a lot, including re-writing webpages on the fly. However, the goal isn’t just to re-write some banners (yes, sometimes that is the goal) but sometimes it’s to steal information. And sometimes it makes sense from an attacker’s perspective to ask for an additional piece of information (like a social security number) on a form. What I haven’t seen is adding an additional CAPTCHA to a page, which would be totally invisible to the average user (unlike a stripper on your desktop, which is sort of the opposite of subtle).

This entry was posted on Thursday, November 1st, 2007 at 2:54 pm and is filed under Webappsec, CAPTCHA. Responses are currently closed, but you can trackback from your own site.

7 Responses to “Malware Solving CAPTCHAs”

  1. Generic Says:
    November 1st, 2007 at 6:07 pm

    Hun, Interesting idea.
    Of course, subtlety is not very often seen in malware. System Wise (Hey notmalware/exe is using 34.456k!) Or like you stated above, appearance wise “unlike a stripper on your desktop, which is sort of the opposite of subtle”

  2. kuza55 Says:
    November 1st, 2007 at 6:26 pm

    That’s actually a pretty good idea…..

    But I still like the idea someone on sla.ckers.org came up with to have a “learn to read” program for kids, where you have them solve CAPTCHAs :p

  3. MustLive Says:
    November 1st, 2007 at 7:48 pm

    Guys, no need any malware for solving captchas when there is my Month of Bugs in Captchas ;-). Which has started this month. And there will be a lot of vulnerable captchas.

    November will be the very hot month.

  4. Awesome AnDrEw Says:
    November 2nd, 2007 at 12:37 pm

    I find it to be an interesting and profitable idea. Never would have thought of something like that.

  5. navairum Says:
    November 2nd, 2007 at 1:55 pm

    Any new challenges coming up soon?

  6. MustLive Says:
    November 3rd, 2007 at 6:32 am

    navairum, there is already new challenge. For all captcha developers - to fix their vulnerable captchas and make reliable ones, and for all administrators of sites - to use more secure captchas.

    Look at craigslist.org CAPTCHA bypass
    http://websecurity.com.ua/1498/

    This guys need more reliable protection.

  7. Niyaz PK Says:
    November 4th, 2007 at 9:28 pm

    Captchas were never secure. They are not user-friendly too.
    It is high time we remove captchas from our websites. Read my series of articles on Captchas.