Striptease Used to Recruit Help in Cracking Sites

By Lisa Vaas  |  Posted 2007-10-31 Print this article Print

Malware authors are using a scantily clad lady to dupe players into decoding legitimate site CAPTCHAs.

Frustrated malware authors are duping people into decoding legitimate site CAPTCHA images for them with the help of a striptease.

Trend Micro has identified the program as TROJ_CAPTCHAR.A, a striptease game wherein the player enters the letters hiding within a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) image. For each correct entry, more clothes come off in photos of a scantily clad woman identified as "Melissa."
The CAPTCHAs shown in Trend Micros posting were taken from Yahoo in what the security firm thinks is a possible pointer to a build-up of Yahoo account information, possibly for the purposes of spamming.
CAPTCHAs were first deployed to fight off bots and other automated software such as spam generators. Used to differentiate humans from automated processes, theyre put up to protect systems vulnerable to spam, including Web mail services from Gmail, Hotmail and Yahoo, but are also used to prevent automated posting to blogs or forums. Ticket brokers busted beating TicketMaster CAPTCHAs. Click here to read more. Visitors validate themselves as human by deciphering a sequence of alphanumeric characters embedded in an image that is supposed to be unreadable by machines, although OCR (Optical Character Recognition) can be used to thwart the tests. "Some people are really hooked up on defeating the CAPTCHA, and they are literally asking for public help, in a rather discreet—and, um, provocative—manner," TrendLabs Roderick Ordoñez said about the striptease CAPTCHA stunt, in a posting. Answers entered by striptease gamers are routed to a remote server, Trend reports, where a malicious user matches the correct code for a given CAPTCHA on Yahoos site. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel