CAPTCHA Cracker Software & Sites 06 NOV 2007

CAPTCHANuts. Looks like the hackers are now laying siege to the wonderful invention that is the CAPTCHA system. For those who don’t know what I am talking about, do you know those squiggly, misshaped letters and numbers you have to fill in every time you log in to some or other secure website? Well those randomly generated phrases are what we call a CAPTCHA system, short for Completely Automated Public Turing Test to tell Computers and Humans Apart.

If is basically a safeguard system that ensures that users trying to fill out a form are in fact human, based on the fact that a computer program can’t interpret the scrambled code images and input the correct code on the form. This means that we can block automated subscribers and spammers from submitting our forms.

This form of security is essential for all forms of secure login pages as well and if a bank’s CAPTCHA system was ever breached we would be sitting with quite a serious intrusion on our hands.

Any way, the latest social engineering trick employed by scammers seems to be aimed at learning a particulars system’s CAPTCHA system. The scam takes the form of an alluring woman icon that appears on an infected Windows desktop. Once the user clicks on the icon, a photo of an attractive woman appears who vows to take off an article of clothing each time the jumble of figures next to her is entered.

The woman never undresses, you enter several passwords and by the time it has learnt enough information from you, you’ve realised that you’ve just been suckered into helping a hacker out.

Trend Micro researchers say the scam appears to be isolated for now to spammers trying to register bogus email addresses and flood chat rooms with unwanted pitches, but this may very well be a starting point to a rather ugly learning curve that could see us trying to figure out a new test in order to beat the machines in the near future.

And as nasty as the idea is, I’ve got to say, that it is damn clever of whoever came up with the idea in first place. Here is social engineering in its purist form – con men around the world are weeping with admiration.

Just read an interesting article on using graffiti/images as passwords. Apparently people recognise/remember imagery better than test, and the idea is for people to actually draw their passwords. The image get drawn onto a grid system, the application then remembering what grid points were filled in, the direction of the strokes and the time taken to complete. An interesting approach to the age old struggle to better secure our space.

Related Posts:

About Craig Lotter

South African software architect and developer at Touchwork. Husband to a cupcake baker and father to two little girls. I don't have time for myself any more.