by Roderick Ordoñez
A nifty little program that Trend Micro detects as TROJ_CAPTCHAR.A disguises itself as a strip-tease game, wherein a scantily clad “Melissa” agrees to take off a little bit of her clothing. However, for her to strut her stuff, users must identify the letters hidden within a CAPTCHA. Input the letters correctly, press “go,” and “Melissa” reveals more of herself.
However, the “answers” are then sent to a remote server, where a malicious user eagerly awaits them. The strip-tease game is actually a ploy by ingenious malware authors to identify and match ambiguous CAPTCHA images from legitimate sites, using the unsuspecting user as the decoder of the said image.
Interesting enough, the CAPTCHAs in the example above were taken from the Yahoo! Web site, possible proof that someone may be building a huge base of Yahoo! accounts. For spam-related reasons perhaps? Although various methods of OCR (Optical Character Recognition) are already used to circumvent the CAPTCHA, this social engineering technique is new in that it uses people to unsuspectingly aid a malicious user.
The CAPTCHA, short for Completely Automated Public Turing test to tell Computers and Humans Apart, was born when bots started spreading over the Internet scene a few years ago. The system was aimed at preventing automated submissions/registrations of bots by prompting the user to validate himself as a human, usually requiring the user to input a sequence of alphanumeric characters contained in an image supposedly “unreadable” by a machine.
However, some people are really hooked up on defeating the CAPTCHA, and they are literally asking for public help, in a rather discreet—and, um, provocative—manner.