Now that's ingenious!

Discussion in 'NZ Computing' started by Sue Bilstein, Nov 2, 2007.

  1. Sue Bilstein

    Sue Bilstein Guest

    But listen guys, don't fall for this one.

    http://tinyurl.com/2sno3p

    Spammers employ stripper to crack CAPTCHAs
    Hackers are using human beings in semi-real time to translate CAPTCHAs
    by proxy, says Trend Micro
    By Gregg Keizer Framingham | Friday, 2 November 2007

    Spammers are using a virtual stripper as bait to dupe people into
    helping criminals crack codes they need to send more spam or boost the
    rankings of parasitic websites, say security researchers.

    A series of photographs shows "Melissa," no relation to the 1999 worm
    by the same name, with progressively fewer clothes and more skin each
    time the user correctly enters the characters in an accompanying
    CAPTCHA (Completely Automatic Public Turing Test to Tell Computers and
    Humans Apart), the distorted, scrambled codes that most web-mail
    services use to block bots from registering hundreds or thousands of
    accounts.
    Sue Bilstein, Nov 2, 2007
    #1
    1. Advertising

  2. On Nov 2, 5:30 am, Sue Bilstein <> wrote:
    > But listen guys, don't fall for this one.
    >
    > http://tinyurl.com/2sno3p
    >
    > Spammers employ stripper to crack CAPTCHAs
    > Hackers are using human beings in semi-real time to translate CAPTCHAs
    > by proxy, says Trend Micro
    > By Gregg Keizer Framingham | Friday, 2 November 2007
    >
    > Spammers are using a virtual stripper as bait to dupe people into
    > helping criminals crack codes they need to send more spam or boost the
    > rankings of parasitic websites, say security researchers.
    >
    > A series of photographs shows "Melissa," no relation to the 1999 worm
    > by the same name, with progressively fewer clothes and more skin each
    > time the user correctly enters the characters in an accompanying
    > CAPTCHA (Completely Automatic Public Turing Test to Tell Computers and
    > Humans Apart), the distorted, scrambled codes that most web-mail
    > services use to block bots from registering hundreds or thousands of
    > accounts.


    They would need a fairly quick response time from the email or the
    target-site-they're-trying-to-break-in-to's session will time out.
    Oh! I get it. The first Melissa response puts you on an available
    queue, after which they can expect a fairly quick response time from
    you. This all relies on a high volume of email responses so as to
    always have a replier ready when you have a real CAPTCHA to break.
    Bloody brilliant! That is true art.

    Mark
    Mark Bondurant, Nov 2, 2007
    #2
    1. Advertising

  3. Sue Bilstein

    peterwn Guest

    On Nov 3, 1:30 am, Sue Bilstein <> wrote:
    > But listen guys, don't fall for this one.
    >
    > http://tinyurl.com/2sno3p
    >
    > Spammers employ stripper to crack CAPTCHAs
    > Hackers are using human beings in semi-real time to translate CAPTCHAs
    > by proxy, says Trend Micro
    > By Gregg Keizer Framingham | Friday, 2 November 2007
    >
    > Spammers are using a virtual stripper as bait to dupe people into
    > helping criminals crack codes they need to send more spam or boost the
    > rankings of parasitic websites, say security researchers.
    >
    > A series of photographs shows "Melissa," no relation to the 1999 worm
    > by the same name, with progressively fewer clothes and more skin each
    > time the user correctly enters the characters in an accompanying
    > CAPTCHA (Completely Automatic Public Turing Test to Tell Computers and
    > Humans Apart), the distorted, scrambled codes that most web-mail
    > services use to block bots from registering hundreds or thousands of
    > accounts.


    I heard about this racket several years ago.

    Kiwibank annoys its customers with CAPTCHA's. IMO they should only
    use them when a specific user has muckd up a logon or there is a
    'condition yellow' such as an unseemly rate of false login attempts.
    peterwn, Nov 3, 2007
    #3
  4. Sue Bilstein

    Sue Bilstein Guest

    On 2 Nov 2007 05:30:12 -0700, Sue Bilstein <>
    wrote:

    >But listen guys, don't fall for this one.
    >
    >http://tinyurl.com/2sno3p
    >
    >Spammers employ stripper to crack CAPTCHAs
    >Hackers are using human beings in semi-real time to translate CAPTCHAs
    >by proxy, says Trend Micro
    >By Gregg Keizer Framingham | Friday, 2 November 2007
    >
    >Spammers are using a virtual stripper as bait to dupe people into
    >helping criminals crack codes they need to send more spam or boost the
    >rankings of parasitic websites, say security researchers.
    >
    >A series of photographs shows "Melissa," no relation to the 1999 worm
    >by the same name, with progressively fewer clothes and more skin each
    >time the user correctly enters the characters in an accompanying
    >CAPTCHA (Completely Automatic Public Turing Test to Tell Computers and
    >Humans Apart), the distorted, scrambled codes that most web-mail
    >services use to block bots from registering hundreds or thousands of
    >accounts.



    PS google groups kept this post in a corner of its stomach from
    somewhere round 12 noon 2/11 until 1:30 am 3/11, when it was finally
    disgorged.
    Sue Bilstein, Nov 3, 2007
    #4
  5. peterwn wrote:
    > On Nov 3, 1:30 am, Sue Bilstein <> wrote:
    >> But listen guys, don't fall for this one.
    >>
    >> http://tinyurl.com/2sno3p
    >>
    >> Spammers employ stripper to crack CAPTCHAs
    >> Hackers are using human beings in semi-real time to translate CAPTCHAs
    >> by proxy, says Trend Micro
    >> By Gregg Keizer Framingham | Friday, 2 November 2007
    >>
    >> Spammers are using a virtual stripper as bait to dupe people into
    >> helping criminals crack codes they need to send more spam or boost the
    >> rankings of parasitic websites, say security researchers.
    >>
    >> A series of photographs shows "Melissa," no relation to the 1999 worm
    >> by the same name, with progressively fewer clothes and more skin each
    >> time the user correctly enters the characters in an accompanying
    >> CAPTCHA (Completely Automatic Public Turing Test to Tell Computers and
    >> Humans Apart), the distorted, scrambled codes that most web-mail
    >> services use to block bots from registering hundreds or thousands of
    >> accounts.

    >
    > I heard about this racket several years ago.
    >
    > Kiwibank annoys its customers with CAPTCHA's. IMO they should only
    > use them when a specific user has muckd up a logon or there is a
    > 'condition yellow' such as an unseemly rate of false login attempts.
    >

    In the case of login into a situation like Kiwi Bank (your account) the
    catchpa does nothing except be a nuisance to genuine users, if they have
    your account code and password your screwed anyway. The catchpa does
    perhaps make it slightly harder to run an auto dictionary attack, the
    chance of that attack being successful are slim and the system should
    detect the repeated failed attempts. It is just lazyness on there behalf
    if if dosent
    collector«NZ, Nov 3, 2007
    #5
  6. Sue Bilstein

    Richard Guest

    collector«NZ wrote:

    > In the case of login into a situation like Kiwi Bank (your account) the
    > catchpa does nothing except be a nuisance to genuine users, if they have
    > your account code and password your screwed anyway. The catchpa does
    > perhaps make it slightly harder to run an auto dictionary attack, the
    > chance of that attack being successful are slim and the system should
    > detect the repeated failed attempts. It is just lazyness on there behalf
    > if if dosent


    yes, but thats not the point, people will feel more secure as a result
    of it being there, so are happier customers.
    Richard, Nov 3, 2007
    #6
  7. Richard wrote:
    > collector«NZ wrote:
    >
    >> In the case of login into a situation like Kiwi Bank (your account)
    >> the catchpa does nothing except be a nuisance to genuine users, if
    >> they have your account code and password your screwed anyway. The
    >> catchpa does perhaps make it slightly harder to run an auto dictionary
    >> attack, the chance of that attack being successful are slim and the
    >> system should detect the repeated failed attempts. It is just lazyness
    >> on there behalf if if dosent

    >
    > yes, but thats not the point, people will feel more secure as a result
    > of it being there, so are happier customers.

    Cue Tui's Add

    I would rather do without it it does nothing and makes me wonder if it
    is there to cover the ineptitude of the designers for not having a
    system to deal with repeated wrong attempts at login
    collector«NZ, Nov 3, 2007
    #7
  8. In message <472c333f$>, collector«NZ wrote:

    > ... catchpa ...


    No catchma to go with that?
    Lawrence D'Oliveiro, Nov 3, 2007
    #8
  9. Sue Bilstein

    Steve B Guest

    On Sat, 03 Nov 2007 04:31:08 -0000, peterwn <>
    wrote:

    >Kiwibank annoys its customers with CAPTCHA's. IMO they should only
    >use them when a specific user has muckd up a logon or there is a
    >'condition yellow' such as an unseemly rate of false login attempts.


    CAPTCHAs are also said to make use of the service by blind or
    partially sighted users impossible. Whereupon many sites appended a
    button which would read out the CAPTCHA code audibly. Whereupon crtics
    pointed out that voice-recognition reopened an avenue for spammers.
    Whereupon certain sites "blurred" the voice version of the code by
    introducing extraneous noise.

    The first time I came across one of those, it took me three goes to
    get it right from the sound alone (just experimenting). If it had been
    a banking site rather than something not so sensitive (a newspaper
    'feedback" section, IIRC) , security might have shut me out by that
    stage.

    The printed CAPTCHAs will insist on using ones that might be
    lower-case Ls and letters like k which can look virtually identical in
    upper and lower case without sufficient context.

    The other safety precaution that bugs me is " You have not used our
    service for more than three months. So we have sent a PIN number to
    your email address as we have it on record. This will expire unless
    you find it and enter it in the space below within five minutes."

    Now which email address did I give them (more than three months ago)?
    Is that mailbox discontinued or likely to be so full of spam that
    their message gets rejected? Aha! The spammers win again .

    Steve B.
    Steve B, Nov 3, 2007
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?TW8=?=

    Now you see it, now you don't

    =?Utf-8?B?TW8=?=, Sep 26, 2004, in forum: Wireless Networking
    Replies:
    0
    Views:
    438
    =?Utf-8?B?TW8=?=
    Sep 26, 2004
  2. Emrys Davies

    Mike-All is now well now

    Emrys Davies, Aug 11, 2003, in forum: Computer Support
    Replies:
    1
    Views:
    466
    °Mike°
    Aug 11, 2003
  3. Jim Beaver

    Now you see it, now you don't

    Jim Beaver, Mar 15, 2005, in forum: Computer Support
    Replies:
    13
    Views:
    764
    Vanguard
    Mar 16, 2005
  4. mk
    Replies:
    1
    Views:
    815
    def456
    Feb 11, 2007
  5. Rustyb

    A simple yet Ingenious Idea!! You must read this !!

    Rustyb, Oct 31, 2005, in forum: Digital Photography
    Replies:
    8
    Views:
    271
Loading...

Share This Page