back to article CAPTCHA-busting villains branch out from spam into ID theft

The cybercrooks attempting to defeat CAPTCHAs are no longer just traditional junk-mailers who want to get around the test to send spam. In a recent study, security researchers have discovered that criminals are also using circumvention techniques in attacks that harvest financial or personal data. A CAPTCHA (Completely …


This topic is closed for new posts.
  1. Anonymous IV
    Thumb Up

    ... Intelligence report, A CAPTCHA in the Rye ...

    Good grief, aren't these report-writers well read, and witty with it!

    1. Anonymous Coward
      Thumb Down

      Re: ... Intelligence report, A CAPTCHA in the Rye ...

      Well, not really, considering their feeble pun makes no sense

      1. Anonymous Coward

        Re: ...their feeble pun makes no sense

        It wasn't even the inane ramblings of a self-obsessed teenager!

        1. Arctic fox

          Re: "It wasn't even the inane ramblings of a self-obsessed teenager!"

          You never know, they may have managed the inane rambling bit. -:P

    2. Anonymous IV

      Re: ... Intelligence report, A CAPTCHA in the Rye ...

      Oops! Must have missed off


      from my previous post.

  2. Anonymous Coward

    Seems that the scum of the earth are forever at it. Maybe Sharia law is not such a bad thing after all, cut the hand off the thieving barstewards.

    1. Steven Roper

      Yes it is a bad thing

      Encouraging Sharia law to deal with cybercrooks is definitely a case of curing the disease by killing the patient.

  3. Turtle

    Work work work...

    "CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) "

    One has to think that an acronym like that represents a lot of work: acronyms do not get much more labor-intensive than that, I should think. Well, outside of the military, that is.

  4. Anonymous Coward
    Thumb Up

    Approaches on offer include delivering more difficult CAPTCHAs...

    Great! —I can't wait. It usually takes me about three goes to get the current ones right [and I'm a human!]

    My particular favourites are the ones which make no visible distinction between zero and O, or L and I and 1... and it's an added bonus if they don't bother to tell me whether the CAPTCHA is case sensitive or not.

    1. Schultz Silver badge

      More difficult CAPTCHAs...

      Especially pleasant on the train with on- and off connectivity, using a mobile phone ("sorry: mobile view not supported") to get into that forgotten email account with hotel information...

      Gotta love CAPTCHAs.

    2. Anonymous Coward
      Anonymous Coward

      @madra- Re: Approaches on offer include delivering more difficult CAPTCHAs...

      My nomination for best/worst CAPTCHAs was the one where you're expected to enter non-Latin characters... to gain access to an English-language website.

      First CAPTCHA was in Hebrew [I clicked "Choose Another"]

      Second CAPTCHA was in Greek [I clicked "Choose Another"]

      Third CAPTCHA looked Nordic. I opened LibreOffice, did an Insert Special Character, then scrolled down to the "lower-case-letter-'a'-with-a-circle-over-it, clicked it, went back to my blank document, copied that single character into the clipboard, went back to Firefox, and pasted it into the CAPTCHA text area.

    3. Spasch

      Re: Approaches on offer include delivering more difficult CAPTCHAs...

      Those, along with the idiotic ones with no option of refreshing..

    4. Anonymous Coward
      Anonymous Coward

      The ones that get me

      are those damnable photos of house numbers and letterboxes that Google have started insinuating into the CAPTCHA process. Occasionally there's even a number actually visible in the photo - but most of the time it's just a photo of a door or a window, with no numbers or letters visible, and whatever you're supposed to type in could be anything.

      As a result, when I see those, I resort to 4chan's CAPTCHA-buggering trick of putting a well-known American ethnic slur for dark-skinned people, for the unknown image.

      (For those not familiar with this technique: CAPTCHA includes two elements - a known word and an unknown word (or image). The known word is the one that is heavily twisted and distorted; the unknown word is usually less distorted and often appears simply poorly scanned (or is a photo of a house door or something). By putting in the correct answer for the known word and putting in "n****r" for the unknown word you can still pass the CAPTCHA

      The upshot of this is that CAPTCHA is being used to translate books into digital format; if enough people type the same racial slur for the unknown words/images then there supposedly exists the 'lulzy' probability of digitised ebooks being released to the public with this word recurring through them, occasioning bad trouble, scandal and heavy fines for the publishers!)

  5. Whitter

    Linguistic issues to some of the alternatives

    It's difficult not to make CAPTCHAs and/or alternatives too hard, particularly if your website/forum/blog has a mulitlingual user base (where question/answer rules can quickly break down). I've heard good things about animated CAPTCHAs, but, if they do indeed work, they won't work for long given this war of attrition. The sweatshop issue is even harder to beat.

    If only wetards wouldn't click on spam - but that's an even bigger battle!

  6. John A Blackley

    Yak yak yak

    blah blah blah FREE PORN blah blah blah

  7. Charlie Clark Silver badge

    Misaligned incentives

    CAPTCHA's no longer pit man against machine - most of them have become so annoying that I often give up - but increasingly man against man but with vastly different incentives. The CAPTCHAs I come across are generally related to getting access to some kind of website service and have little marginal value. Post-submission validation by e-mail seems to work just as well and is far less irritating, but where CAPTCHAs are used to protect identity then the thieves have a far greater incentive to attempt to crack them.

    1. Brewster's Angle Grinder Silver badge

      Re: Misaligned incentives

      One of Wordpress's best kept secrets is the Akismet ani-spam tool. I run a personal blog, and Aksimet flawlessly separates the spam from the genuine comments without CAPTCHAs, email validation or human intervention.

      [Disclaimer: I have no personal association with Wordpress.]

  8. Bucky 2


    I'm glad these monstrosities are finally on the way out.

    My objection to CAPTCHAs is completely aesthetic.

    I find nothing cute about creating an acronym which looks the way an illiterate with a speech impediment might spell "capture."

  9. Anonymous Coward
    Anonymous Coward

    Alternative: reading comprehension

    Stop using image recognition, and go to comprehension, e.g.:

    To prove you are a human, which of the following is acceptable behavior:

    a) kicking a spammer in the gonads

    b) punching a spammer in the face

    c) using a cattleprod on a spammer

    d) all of the above.

    1. Charles 9 Silver badge

      Re: Alternative: reading comprehension

      Thing is, sweatshoppers can be literate enough in English to understand the question. The big challenge is beating the sweatshops where the Turing part of the CAPTCHA doesn't really apply (IOW, you're now trying to distinguish a real user from a sweatshopper--man against man; tricky tricky...).

  10. Anonymous Coward
    Anonymous Coward

    If they'd stop scanning books....

    We wouldn't have to answer any more CAPTCHAs.

    1. Turtle

      Google's Free Labor Policy: Opting Out: Re: If they'd stop scanning books....

      'If they'd stop scanning books....We wouldn't have to answer any more CAPTCHAs."

      Whenever I see a photograph as part of a captcha, I *always* answer it incorrectly, and the incorrect answer is *always* accepted as correct.

      Because I refuse to be part of Google's "the world is an endless supp\y of free labor for us" policy.

  11. Pete Spicer

    Speaking as a forum software developer, where this situation is rife

    CAPTCHAs are only effective all the time they're not actively targeted - as soon as they receive any unwelcome attention, you're stuffed.

    The trick, really, is to make them unique to the content of the site, and this is why anti-spam Q&A are so much more effective, because you can target the Q&A to the site itself, about things that people going to the site would be likely to know, e.g. I know a user who runs a forum about a game called Elements, and naturally, the anti-spam question 'How many elements are there?' means a different number to an Elements player as it would do everyone else - but that's fine.

    The multi-lingual problem isn't really a problem either, it's not actually that hard to set things up so there are different questions for users with different languages (assuming you've provided a method by which alternative languages can be selected for guests)

    The problem with CAPTCHAs is that ever more intricate methods are being devised - including people wrapping entire simple games around the forms in order to add one-shot values to things for verification - but this is not actually that useful from a user's perspective.

    I also recently had an interesting debate with someone who is running campaigns where simple CAPTCHAs are constructed that specifically promote companies. You can only imagine how effective that really is.

  12. Shannon Jacobs

    Cutting the spammers off at the roots

    Actually, I still monitor my spam on two accounts, and identity theft spam has become the clear leader these days, but most of it is pretty naive, and the author's approach makes him sound quite naive, too. Most of what I'm seeing is actually in the form of 419-style garbage trying to get the suckers to send in various bits of the data needed for the identity theft. The scammers are NOT relying on the CAPTCHA side of it, and it is stupid to shoot there. The spammers simply use those accounts to throw out the bait.

    The actual hooks are pointing at accounts on other email systems, mostly Gmail and, along with some of the minor players like globomail. It is noteworthy that Microsoft (AKA Hotmail and is clearly NOT favored for the spammers dropboxes. Can't prove it, but I'd wager it is because Microsoft has become fastest at identifying and nuking those accounts before the scammer can reach the suckers. It is possible to fight the spammers more effectively, but Yahoo is too feeble, and either Gmail doesn't care or is too evil. I really hate to give kudos to Microsoft, but they have been leading the upstream war against the spammers, and now it looks like they are leading downstream, too.

    Of course, I still want a REAL spam fighting tool that would let me join in making the miserable spammers' lives even more miserable. Something like SpamCop, but on steroids. If you are familiar with SpamCop, you know that it is one round of analysis looking for the spammers' ISP and webhost, and one round of confirmation before sending complaints. What I want would involve several rounds of increasingly refined analysis, going after ALL of the spammers' infrastructure, pursuing ALL of the spammers' accomplices, and even trying to help or protect ALL of the spammers' victims.

    Perhaps a few examples would help. An integrated spam-fighting system could focus on unsubscribe mechanisms to identify the legitimate ones from the address harvesters. At a minimum, that would involve some testing with honeypot addresses. A powerful spam-fighting system could notify the owners of valuable brands that there reputations are being abused and even give them an opportunity for legitimate counter-marketing to prove they are on our side against the spammers. The human being in the loop could categorize the spam and help prioritize the serious spam for the rudest responses. I really want the tools to be a first-class spam fighter.

    By the way, I actually think it is unfortunate that Cisco owns SpamCop now. Cisco doesn't really care about who creates the need for their hardware. The SpamCop guys are sincere, but they've lost their fire now. In contrast, you would think that the email providers would really care about increasing the value of email--and nothing destroys the value of email more than spam. They should burn with the desire to encourage GOOD email, not spam.

    1. Shannon Jacobs

      Re: Cutting the spammers off at the roots

      Whoops, forgot two more obvious examples, one related to the original article and the other related to my first example.

      As regards the articles, the human intelligence of volunteers can help the spam-fighting system recognize abuse of CAPTCHA systems. Actually, there's another aspect that is key here. The spammers can't obfuscate when they are trying to reach their human suckers. That would defeat themselves, though sometimes it looks like they are having a reverse intelligence test, looking for people who are stupid enough to believe preposterous scams but somehow still capable of owning a bank account.

      As regards my own example of the predominance of 419-like scams with dropboxes on other email services, that is obviously something that human beings can help with, though the system can also help during the iterations. For example, the system can test a domain and determine that the address is bogus, and then let the user confirm it. Why bother with the check in that case? For example, a human being might realize that the bogus address is actually slightly obfuscated in a way that a persistent sucker might figure out, and then that human spam fighter could guide the system to the actual dropbox. It would also be useful to sort the non-dropbox address. I can think of cases where the spam includes possibly legitimate addresses to give credibility to the scam, something like customer-support at visa dot com that might help fool a sucker who doesn't notice the Reply-to is pointing to a completely different place. In those sorts of Joe jobs, it's obviously in the strong interest of the legitimate company to help protect their customers from the crooks.

      I forgot to mention one other annoying category: External sources that are cited to give credibility to the scam. Usually just news websites, but sometimes such sources as Wikipedia. In cases like that, such a spam-fighting system could help them protect their reputation (and their readers), by helping them quickly add a warning to the target webpage of the URL. Something like a short 419 alert and a link to a page that explains why you shouldn't send any money to the scammers.

    2. Anonymous Coward
      Anonymous Coward

      Spamcop is, unfortunately, toothless

      Back when being on somebody's blacklist actually mattered, entities like Spamcop et. al. were useful in the fight.

      Now, blacklists have no power - when one zombie is blacklisted, a thousand shall rise.

      Unless and until there is something to put teeth into an entity like Spamcop - e.g. "We, Google, will use Spamcop's blacklists. Moreover, any ISP that is marked by Spamcop as 'refuses this type of report' shall ALSO be blocked - you don't want to handle spam reports, we don't want to index you, or allow you access to ANY Google services. All your users will see is a 'Your ISP doesn't care about spamming, so we don't care to service you - take it up with them."

      That might make a change.

      Then again, so would a significant change in the fine structure constant - and that is just about as likely.

  13. Big O

    Riddles? Ruh-roh!

  14. Great Bu

    "Some CAPTCHA-busting sites offer free porn as an incentive."

    Just out of interest:

    Which sites are offering this ?

    How good is the porn ?

    Also, on a related note, why can't we invent PORNCHA (I'll leave it to someone else to work out what the acronym stands for) ? It shows a porn pic and you have to enter what position is being demonstrated (e.g. 'Missionary', 'Reverse Cowgirl', 'Cleveland Steamer' etc.).

  15. This Side Up

    Don't bother with captchas

    Just check for URLs in fields where they're not supposed to be. That gets rid of most of the junk. Some captchas cause browser compatibility problems so are more trouble than they're worth.

  16. This post has been deleted by its author

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021