Virtual! stripper! game! targets! Yahoo! Spammers have come up with a sleazy - but undoubtedly ingenious - way to defeat anti-spam security checks. The Captcha Trojan disguises itself as a stripper game that offers voyeurs the chance to see images of a model getting undressed. In order to get "Melissa" to lose an item of clothing, the user must identify the letters …
This only goes to show that wetware technologies will always be ahead of those namby pamby silicon-based wannabees. Galaxy Zoo has been using the same principle for a while, computers can only do so much, and pattern recognition isn't one of the things they are good at. The only solution is to farm the job out to something that *is* good at it, i.e. humans. Eat my synapses Skynet, you couldn't find a nun in a poppy field!
I'm amazed this even had to be a Trojan. A legitimate games website could make a fortune from this. "Type some letters and see some skin!!". What could be simpler for a game format? Could have made a fortune from click-though alone.
The idea isn't new, but BoingBoing articles aside, this is the first time I've heard of an actual implementation. I remember when the idea first turned up as a hypothetical, and how the story quickly mutated from "someone could..." to "someone did..."
If I'm wrong there, please correct me.
Actually, computers are too good at pattern recognition. That's why the captchas work. What the computers are not so good at is the fuzzy logic which allows humans to delude themselves into thinking that, for example, "GOOD" is the same pattern as "G00D" or that ; ) is a winking-smiley face.
Make sure that the graphic has a Yahoo! logo somewhere in it (background, or in a corner). Then the id10t stripper program user will see that something is a bit amiss. Pretty simple if you ask me. All captchas should have something identifying where they came from. The surrounding text should have further instructions like enter only the letters (and the graphic has digits and letters).
Design needs to evolve!
My guess is that it is all real-time. In fact, it probably has to be, as captchas often expire quickly.
So, as soon as you enter the digits, the trojan forwards it to Yahoo/GMail/Hotmail, where it has already started trying to create an account. If it gets the "thank you for registering" screen from them, it knows you got it right. If it gets the "piss off, robot!" screen, it tells you to try again.
@Jason: Most firewalls do this automatically anyway, so I would think Yahoo has implemented this already, however it doesn't work with BotNet clients because of the distributed nature of a botnet, and it won't work in this case for exactly the same reason.. In this case, the users are the "bot".
@Tom: I think probably that someone trying to get a stripper undressed might be a little distracted and not really be bothered, if they notice at all. However your idea of involving the entire web page in a captcha technology might be a good basis to start from.. For example, you could dot Catcha letters at random places around the screen, or in a circle of several smaller Captcha screens, with instructions to read clockwise or anticlockwise or something.. You're right, it needs work, but it's certainly sounds like a go.. It would be interesting if between the readers of this article we were able to design an uncrackable Captcha system.. El Reg.. We want some of the profits please, or leave it open source!! Actually, no, we want the profits, forget open source! :-)
I've been told that it's nigh impossible for a computer to tell the difference between a kitten and a puppy. Maybe we should move away from typing in letters to picking if a pic is of a kitten or a puppy.
I look forward to the game wherein you have to identify kittens and puppies to get the stripper to take her clothes off...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
