CATCHA: When Cats Track Your Movements Online

  • Prakash ShresthaEmail author
  • Nitesh Saxena
  • Ajaya Neupane
  • Kiavash Satvat
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11879)


Any website can record its users’ mouse interactions within that site, an emerging practice used to learn about users’ regions of interests usually for personalization purposes. However, the dark side of such recording is that it is oblivious to the users as no permissions are solicited from the users prior to recording (unlike other resources like webcam or microphone). Since mouse dynamics may be correlated with users’ behavioral patterns, any website with nefarious intentions (“cat”) could thus try to surreptitiously infer such patterns, thereby compromising users’ privacy and making them prone to targeted attacks. In this paper, we show how users’ personal information, specifically their demographic characteristics, could leak in the face of such mouse movement eavesdropping. As a concrete case study along this line, we present CATCHA, a mouse analytic attack system that gleans potentially sensitive demographic attributes—age group, gender, and educational background—based on mouse interactions with a game CAPTCHA system (a simple drag-and-drop animated object game to tell humans and machines apart).

CATCHA ’s algorithmic design follows the machine learning approach that predicts unknown demographic attributes based on a total of 64 mouse dynamics features extracted from within the CAPTCHA game, capturing users’ innate cognitive abilities and behavioral patterns. Based on a comprehensive data set of mouse movements with respect to a simple game CAPTCHA collected in an online environment, we show that CATCHA can identify the users’ demographics attributes with a high probability (almost all attributes with more than 85%), significantly better than random guessing (50%) and in a very short span of interaction time (about 14 s). We also provide a thorough statistical analysis and interpretation of differentiating features across the demographics attributes that make users susceptible to the CATCHA attack. Finally, we discuss potential extensions to our attack using other user interaction paradigms (e.g., other types of CAPTCHAs or typical web browsing interactions, and under longitudinal settings), and provide potential mitigation strategies to curb the impact of mouse movement eavesdropping.


  1. 1.
    InformAction: Noscript - JavaScript/Java/Flash blocker for a safer Firefox experience! - what is it? (2017). Accessed 28 Oct 2017
  2. 2.
    Ahmed, A.A.E., Traore, I.: Anomaly intrusion detection based on biometrics. In: IEEE SMC Information Assurance Workshop (2005)Google Scholar
  3. 3.
    Ahmed, A.A.E., Traore, I.: A new biometric technology based on mouse dynamics. IEEE Trans. Dependable Secur. Comput. 4, 165–179 (2007)CrossRefGoogle Scholar
  4. 4.
    Bergadano, F., Gunetti, D., Picardi, C.: Identity verification through dynamic keystroke analysis. Intell. Data Anal. 7, 469–496 (2003)CrossRefGoogle Scholar
  5. 5.
    Chrome Blog: Everyone can now track down noisy tabs (2017). Accessed 19 May 2017
  6. 6.
    Brodic, D., Petrovska, S., Jankovic, R., Amelio, A., Draganov, I.: User-centric analysis of the CAPTCHA response time: a new perspective in artificial intelligence. ERCIM News 109, 49–50 (2017)Google Scholar
  7. 7.
    Bursztein, E., Bethard, S., Fabry, C., Mitchell, J.C., Jurafsky, D.: How good are humans at solving CAPTCHAs? A large scale evaluation. In: IEEE Security and Privacy (S&P) (2010)Google Scholar
  8. 8.
    Carlson, E.L.: Phishing for elderly victims: as the elderly migrate to the internet fraudulent schemes targeting them follow. Elder LJ (2006) Google Scholar
  9. 9.
    Chen, M.C., Anderson, J.R., Sohn, M.H.: What can a mouse cursor tell us more?: correlation of eye/mouse movements on web browsing. In: Extended Abstracts on Human Factors in Computing Systems (2001)Google Scholar
  10. 10.
    Datta, A., Tschantz, M.C., Datta, A.: Automated experiments on ad privacy settings. Priv. Enhancing Technol. 2015, 92–112 (2015)CrossRefGoogle Scholar
  11. 11.
    Dowland, P.S., Furnell, S.M.: A long-term trial of keystroke profiling using digraph, trigraph and keyword latencies. In: Deswarte, Y., Cuppens, F., Jajodia, S., Wang, L. (eds.) SEC 2004. ITIFIP, vol. 147, pp. 275–289. Springer, Boston, MA (2004). Scholar
  12. 12.
    Eccles, L.: Money mail reveals why shops want your email address (2016). Accessed 24 Sept 2018
  13. 13.
    Eckersley, P.: How unique is your web browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010). Scholar
  14. 14.
    Eckersley, P.: Panopticlick (2010). Accessed 28 Oct 2017
  15. 15.
    Epp, C., Lippold, M., Mandryk, R.L.: Identifying emotional states using keystroke dynamics. In: SIGCHI Conference on Human Factors in Computing Systems. ACM (2011)Google Scholar
  16. 16.
    Fairhurst, M., Da Costa-Abreu, M.: Using keystroke dynamics for gender identification in social network environment. In: Imaging for Crime Detection and Prevention 2011 (ICDP 2011). IET (2011)Google Scholar
  17. 17.
    Firefox: Mute sound in Firefox tabs (2017). Accessed 19 May 2017
  18. 18.
    FunCaptcha: reCAPTCHA: easy on humans, hard on bots (2017). Accessed 13 May 2017
  19. 19.
    Gao, S., Mohamed, M., Saxena, N., Zhang, C.: Emerging image game CAPTCHAs for resisting automated and human-solver relay attacks. In: Annual Computer Security Applications Conference (2015)Google Scholar
  20. 20.
    Google Chrome: Change website permissions - google chrome (2017). Accessed 19 May 2017
  21. 21.
    Henry, N., Powell, A.: Embodied harms gender, shame, and technology-facilitated sexual violence. Violence Against Women 21, 758–779 (2015)CrossRefGoogle Scholar
  22. 22.
    Hertzum, M., Hornbæk, K.: How age affects pointing with mouse and touchpad: a comparison of young, adult, and elderly users. Int. J. Hum.-Comput. Interact. 26, 703–734 (2010)CrossRefGoogle Scholar
  23. 23.
    Hocquet, S., Ramel, J., Cardot, H.: Users authentication by a study of human computer interactions. In: Proceedings of the Eighth Annual (Doctoral) Meeting on Health, Science and Technology (2004)Google Scholar
  24. 24.
    Hu, J., Zeng, H.J., Li, H., Niu, C., Chen, Z.: Demographic prediction based on user’s browsing behavior. In: International Conference on World Wide Web (2007)Google Scholar
  25. 25.
    HuffingtonPost: ‘are you a human’ CAPTCHA game brings fun to web security (2018). Accessed 27 March 2018
  26. 26.
    Facebook Inc.: Data policy (2018). Accessed 19 Sept 2018
  27. 27.
    Google Inc.: reCAPTCHA: Easy on humans, hard on bots (2017). Accessed 17 May 2017
  28. 28.
    Google Inc.: Privacy policy - Google (2018). Accessed 19 Sept 2018
  29. 29.
    James, M.S.: Why do they want my phone number? (2016). Accessed 24 Sept 2018
  30. 30.
    Joyce, R., Gupta, G.: Identity authentication based on keystroke latencies. Commun. ACM 33, 168–176 (1990)CrossRefGoogle Scholar
  31. 31.
    Laperdrix, P., Rudametkin, W., Baudry, B.: Beauty and the beast: diverting modern web browsers to build unique browser fingerprints. In: IEEE Symposium on Security and Privacy (SP) (2016)Google Scholar
  32. 32.
    Li, Q.: Cyberbullying in schools: a research of gender differences. Sch. Psychol. Int. 27, 157–170 (2006)CrossRefGoogle Scholar
  33. 33.
    Maxion, R.A., Killourhy, K.S.: Keystroke biometrics with number-pad input. In: Dependable Systems and Networks (DSN) (2010)Google Scholar
  34. 34.
    Mohamed, M., Gao, S., Saxena, N., Zhang, C.: Dynamic cognitive game captcha usability and detection of streaming-based farming. In: Workshop on Usable Security (USEC), co-located with NDSS (2014)Google Scholar
  35. 35.
    Mohamed, M., et al.: A three-way investigation of a game-CAPTCHA: automated attacks, relay attacks and usability. In: ACM Symposium on Information, Computer and Communications Security (2014)Google Scholar
  36. 36.
    Mohamed, M., Saxena, N.: Gametrics: towards attack-resilient behavioral authentication with simple cognitive games. In: Annual Conference on Computer Security Applications (2016)Google Scholar
  37. 37.
    Monaro, M., Gamberini, L., Sartori, G.: The detection of faked identity using unexpected questions and mouse dynamics. PloS One (2017)Google Scholar
  38. 38.
    Mouseflow (2017). Accessed 13 May 2017
  39. 39.
    Mowery, K., Bogenreif, D., Yilek, S., Shacham, H.: Fingerprinting information in JavaScript implementations. In: Proceedings of W2SP (2011)Google Scholar
  40. 40.
    Mulazzani, M., et al.: Fast and reliable browser identification with JavaScript engine fingerprinting. In: Web 2.0 Workshop on Security and Privacy (W2SP) (2013)Google Scholar
  41. 41.
    Olejnik, L., Castelluccia, C.: Of mice and men: mouse movements tracking and browser UI protections Google Scholar
  42. 42.
    Pentel, A.: Predicting age and gender by keystroke dynamics and mouse patterns. In: Conference on User Modeling, Adaptation and Personalization (2017)Google Scholar
  43. 43.
    Radinsky, K., Svore, K.M., Dumais, S., Teevan, J., Bocharov, A., Horvitz, E.: Modeling and predicting behavioral dynamics on the web (2012)Google Scholar
  44. 44.
    Rodden, K., Fu, X.: Exploring how mouse movements relate to eye movements on web search results pages. In: Web Information Seeking and Interaction (2007)Google Scholar
  45. 45.
    Sivakorn, S., Polakis, I., Keromytis, A.D.: I am robot: (deep) learning to break semantic image CAPTCHAs. In: IEEE European Symposium on Security and Privacy (EuroS&P) (2016)Google Scholar
  46. 46.
    The WindowsClub: how to setup Firefox permission manager for websites (2017). Accessed 19 May 2017
  47. 47.
    Tor: Tor project: Torbutton (2017). Accessed 13 May 2017
  48. 48.
    Ur, B., Leon, P.G., Cranor, L.F., Shay, R., Wang, Y.: Smart, useful, scary, creepy: perceptions of online behavioral advertising. In: Symposium on Usable Privacy and Security (2012)Google Scholar
  49. 49.
    Walker, N., Millians, J., Worden, A.: Mouse accelerations and performance of older computer users. In: Human Factors and Ergonomics Society Annual Meeting. SAGE Publications (1996)Google Scholar
  50. 50.
    Wang, G., Konolige, T., Wilson, C., Wang, X., Zheng, H., Zhao, B.Y.: You are how you click: clickstream analysis for sybil detection. In: USENIX Security Symposium (2013)Google Scholar
  51. 51.
    Wordpress: Are you a human - the fun spam blocker (2017). Accessed 13 May 2017
  52. 52.
    WSJ: Facebook tests software to track your cursor on screen (2013).
  53. 53.
    Yamauchi, T.: Mouse trajectories and state anxiety: feature selection with random forest. In: IEEE Affective Computing and Intelligent Interaction (ACII) (2013)Google Scholar
  54. 54.
    Yamauchi, T., Seo, J.H., Jett, N., Parks, G., Bowman, C.: Gender differences in mouse and cursor movements. Int. J. Hum.-Comput. Interact. 31, 911–921 (2015)CrossRefGoogle Scholar
  55. 55.
    Zheng, N., Paloski, A., Wang, H.: An efficient user verification system via mouse movements. In: Conference on Computer and Communications Security (2011)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Prakash Shrestha
    • 1
    Email author
  • Nitesh Saxena
    • 1
  • Ajaya Neupane
    • 2
  • Kiavash Satvat
    • 3
  1. 1.University of Alabama at BirminghamBirminghamUSA
  2. 2.University of CaliforniaRiversideUSA
  3. 3.University of Illinois at ChicagoChicagoUSA

Personalised recommendations