Striptease Used to Recruit Help in Cracking Sites

Malware authors are using a scantily clad lady to dupe players into decoding legitimate site CAPTCHAs.

Frustrated malware authors are duping people into decoding legitimate site CAPTCHA images for them with the help of a striptease.

Trend Micro has identified the program as TROJ_CAPTCHAR.A, a striptease game wherein the player enters the letters hiding within a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) image. For each correct entry, more clothes come off in photos of a scantily clad woman identified as "Melissa."

The CAPTCHAs shown in Trend Micros posting were taken from Yahoo in what the security firm thinks is a possible pointer to a build-up of Yahoo account information, possibly for the purposes of spamming.

CAPTCHAs were first deployed to fight off bots and other automated software such as spam generators. Used to differentiate humans from automated processes, theyre put up to protect systems vulnerable to spam, including Web mail services from Gmail, Hotmail and Yahoo, but are also used to prevent automated posting to blogs or forums.

28571.gif

Ticket brokers busted beating TicketMaster CAPTCHAs. Click here to read more.

Visitors validate themselves as human by deciphering a sequence of alphanumeric characters embedded in an image that is supposed to be unreadable by machines, although OCR (Optical Character Recognition) can be used to thwart the tests.

"Some people are really hooked up on defeating the CAPTCHA, and they are literally asking for public help, in a rather discreet—and, um, provocative—manner," TrendLabs Roderick Ordoñez said about the striptease CAPTCHA stunt, in a posting.

Answers entered by striptease gamers are routed to a remote server, Trend reports, where a malicious user matches the correct code for a given CAPTCHA on Yahoos site.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.