Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   NZ Computing (http://www.velocityreviews.com/forums/f47-nz-computing.html)
-   -   Now that's ingenious! (http://www.velocityreviews.com/forums/t582272-now-thats-ingenious.html)

Sue Bilstein 11-02-2007 12:30 PM

Now that's ingenious!
 
But listen guys, don't fall for this one.

http://tinyurl.com/2sno3p

Spammers employ stripper to crack CAPTCHAs
Hackers are using human beings in semi-real time to translate CAPTCHAs
by proxy, says Trend Micro
By Gregg Keizer Framingham | Friday, 2 November 2007

Spammers are using a virtual stripper as bait to dupe people into
helping criminals crack codes they need to send more spam or boost the
rankings of parasitic websites, say security researchers.

A series of photographs shows "Melissa," no relation to the 1999 worm
by the same name, with progressively fewer clothes and more skin each
time the user correctly enters the characters in an accompanying
CAPTCHA (Completely Automatic Public Turing Test to Tell Computers and
Humans Apart), the distorted, scrambled codes that most web-mail
services use to block bots from registering hundreds or thousands of
accounts.


Mark Bondurant 11-02-2007 04:28 PM

Re: Now that's ingenious!
 
On Nov 2, 5:30 am, Sue Bilstein <sue.bilst...@gmail.com> wrote:
> But listen guys, don't fall for this one.
>
> http://tinyurl.com/2sno3p
>
> Spammers employ stripper to crack CAPTCHAs
> Hackers are using human beings in semi-real time to translate CAPTCHAs
> by proxy, says Trend Micro
> By Gregg Keizer Framingham | Friday, 2 November 2007
>
> Spammers are using a virtual stripper as bait to dupe people into
> helping criminals crack codes they need to send more spam or boost the
> rankings of parasitic websites, say security researchers.
>
> A series of photographs shows "Melissa," no relation to the 1999 worm
> by the same name, with progressively fewer clothes and more skin each
> time the user correctly enters the characters in an accompanying
> CAPTCHA (Completely Automatic Public Turing Test to Tell Computers and
> Humans Apart), the distorted, scrambled codes that most web-mail
> services use to block bots from registering hundreds or thousands of
> accounts.


They would need a fairly quick response time from the email or the
target-site-they're-trying-to-break-in-to's session will time out.
Oh! I get it. The first Melissa response puts you on an available
queue, after which they can expect a fairly quick response time from
you. This all relies on a high volume of email responses so as to
always have a replier ready when you have a real CAPTCHA to break.
Bloody brilliant! That is true art.

Mark



peterwn 11-03-2007 04:31 AM

Re: Now that's ingenious!
 
On Nov 3, 1:30 am, Sue Bilstein <sue.bilst...@gmail.com> wrote:
> But listen guys, don't fall for this one.
>
> http://tinyurl.com/2sno3p
>
> Spammers employ stripper to crack CAPTCHAs
> Hackers are using human beings in semi-real time to translate CAPTCHAs
> by proxy, says Trend Micro
> By Gregg Keizer Framingham | Friday, 2 November 2007
>
> Spammers are using a virtual stripper as bait to dupe people into
> helping criminals crack codes they need to send more spam or boost the
> rankings of parasitic websites, say security researchers.
>
> A series of photographs shows "Melissa," no relation to the 1999 worm
> by the same name, with progressively fewer clothes and more skin each
> time the user correctly enters the characters in an accompanying
> CAPTCHA (Completely Automatic Public Turing Test to Tell Computers and
> Humans Apart), the distorted, scrambled codes that most web-mail
> services use to block bots from registering hundreds or thousands of
> accounts.


I heard about this racket several years ago.

Kiwibank annoys its customers with CAPTCHA's. IMO they should only
use them when a specific user has muckd up a logon or there is a
'condition yellow' such as an unseemly rate of false login attempts.


Sue Bilstein 11-03-2007 08:21 AM

Re: Now that's ingenious!
 
On 2 Nov 2007 05:30:12 -0700, Sue Bilstein <sue.bilstein@gmail.com>
wrote:

>But listen guys, don't fall for this one.
>
>http://tinyurl.com/2sno3p
>
>Spammers employ stripper to crack CAPTCHAs
>Hackers are using human beings in semi-real time to translate CAPTCHAs
>by proxy, says Trend Micro
>By Gregg Keizer Framingham | Friday, 2 November 2007
>
>Spammers are using a virtual stripper as bait to dupe people into
>helping criminals crack codes they need to send more spam or boost the
>rankings of parasitic websites, say security researchers.
>
>A series of photographs shows "Melissa," no relation to the 1999 worm
>by the same name, with progressively fewer clothes and more skin each
>time the user correctly enters the characters in an accompanying
>CAPTCHA (Completely Automatic Public Turing Test to Tell Computers and
>Humans Apart), the distorted, scrambled codes that most web-mail
>services use to block bots from registering hundreds or thousands of
>accounts.



PS google groups kept this post in a corner of its stomach from
somewhere round 12 noon 2/11 until 1:30 am 3/11, when it was finally
disgorged.

collector«NZ 11-03-2007 08:24 AM

Re: Now that's ingenious!
 
peterwn wrote:
> On Nov 3, 1:30 am, Sue Bilstein <sue.bilst...@gmail.com> wrote:
>> But listen guys, don't fall for this one.
>>
>> http://tinyurl.com/2sno3p
>>
>> Spammers employ stripper to crack CAPTCHAs
>> Hackers are using human beings in semi-real time to translate CAPTCHAs
>> by proxy, says Trend Micro
>> By Gregg Keizer Framingham | Friday, 2 November 2007
>>
>> Spammers are using a virtual stripper as bait to dupe people into
>> helping criminals crack codes they need to send more spam or boost the
>> rankings of parasitic websites, say security researchers.
>>
>> A series of photographs shows "Melissa," no relation to the 1999 worm
>> by the same name, with progressively fewer clothes and more skin each
>> time the user correctly enters the characters in an accompanying
>> CAPTCHA (Completely Automatic Public Turing Test to Tell Computers and
>> Humans Apart), the distorted, scrambled codes that most web-mail
>> services use to block bots from registering hundreds or thousands of
>> accounts.

>
> I heard about this racket several years ago.
>
> Kiwibank annoys its customers with CAPTCHA's. IMO they should only
> use them when a specific user has muckd up a logon or there is a
> 'condition yellow' such as an unseemly rate of false login attempts.
>

In the case of login into a situation like Kiwi Bank (your account) the
catchpa does nothing except be a nuisance to genuine users, if they have
your account code and password your screwed anyway. The catchpa does
perhaps make it slightly harder to run an auto dictionary attack, the
chance of that attack being successful are slim and the system should
detect the repeated failed attempts. It is just lazyness on there behalf
if if dosent

Richard 11-03-2007 09:37 AM

Re: Now that's ingenious!
 
collector«NZ wrote:

> In the case of login into a situation like Kiwi Bank (your account) the
> catchpa does nothing except be a nuisance to genuine users, if they have
> your account code and password your screwed anyway. The catchpa does
> perhaps make it slightly harder to run an auto dictionary attack, the
> chance of that attack being successful are slim and the system should
> detect the repeated failed attempts. It is just lazyness on there behalf
> if if dosent


yes, but thats not the point, people will feel more secure as a result
of it being there, so are happier customers.

collector«NZ 11-03-2007 10:54 AM

Re: Now that's ingenious!
 
Richard wrote:
> collector«NZ wrote:
>
>> In the case of login into a situation like Kiwi Bank (your account)
>> the catchpa does nothing except be a nuisance to genuine users, if
>> they have your account code and password your screwed anyway. The
>> catchpa does perhaps make it slightly harder to run an auto dictionary
>> attack, the chance of that attack being successful are slim and the
>> system should detect the repeated failed attempts. It is just lazyness
>> on there behalf if if dosent

>
> yes, but thats not the point, people will feel more secure as a result
> of it being there, so are happier customers.

Cue Tui's Add

I would rather do without it it does nothing and makes me wonder if it
is there to cover the ineptitude of the designers for not having a
system to deal with repeated wrong attempts at login

Lawrence D'Oliveiro 11-03-2007 11:09 AM

Re: Now that's ingenious!
 
In message <472c333f$1@news.orcon.net.nz>, collector«NZ wrote:

> ... catchpa ...


No catchma to go with that?

Steve B 11-03-2007 11:51 PM

Re: Now that's ingenious!
 
On Sat, 03 Nov 2007 04:31:08 -0000, peterwn <peterwn@paradise.net.nz>
wrote:

>Kiwibank annoys its customers with CAPTCHA's. IMO they should only
>use them when a specific user has muckd up a logon or there is a
>'condition yellow' such as an unseemly rate of false login attempts.


CAPTCHAs are also said to make use of the service by blind or
partially sighted users impossible. Whereupon many sites appended a
button which would read out the CAPTCHA code audibly. Whereupon crtics
pointed out that voice-recognition reopened an avenue for spammers.
Whereupon certain sites "blurred" the voice version of the code by
introducing extraneous noise.

The first time I came across one of those, it took me three goes to
get it right from the sound alone (just experimenting). If it had been
a banking site rather than something not so sensitive (a newspaper
'feedback" section, IIRC) , security might have shut me out by that
stage.

The printed CAPTCHAs will insist on using ones that might be
lower-case Ls and letters like k which can look virtually identical in
upper and lower case without sufficient context.

The other safety precaution that bugs me is " You have not used our
service for more than three months. So we have sent a PIN number to
your email address as we have it on record. This will expire unless
you find it and enter it in the space below within five minutes."

Now which email address did I give them (more than three months ago)?
Is that mailbox discontinued or likely to be so full of spam that
their message gets rejected? Aha! The spammers win again .

Steve B.


All times are GMT. The time now is 01:06 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.