CAPTCHA Phishing: A Practical Attack on Human Interaction Proofing
CAPTCHAs are widespread security measures on the World Wide Web that prevent automated programs from massive access. To overcome this obstacle attackers generally utilize artificial intelligence technology, which is not only complicated but also not adaptive enough. This paper addresses on the issue of how to defeat complex CAPTCHAs with a social engineering method named CAPTCHA Phishing instead of AI techniques. We investigated each step of this attack in detail and proposed the most effective way to attack. Then we did experiment with real Internet web sites and obtained a positive results. The countermeasures to prevent this attack are also discussed.
Unable to display preview. Download preview PDF.
- 1.Asirra: a captcha that exploits interest-aligned manual image categorization. In: 14th ACM Conference on Computer and Communications Security, pp. 366–374. ACM Press, New York (2007)Google Scholar
- 2.Ahn, L.V., Blum, M., Langford, J.: Telling humans and computers apart automatically. Commun. 47(2), 56–60 (2004)Google Scholar
- 3.Badra, M., El-Sawda, S., Hajjeh, I.: Phishing attacks and solutions. In: 3rd International Conference on Mobile Multimedia Communications, ICST, Brussels, Belgium, pp. 1–6 (2007)Google Scholar
- 4.Caine, A., Hengartner, U.: The ai hardness of captchas does not imply robust network security, pp. 367–382 (2007)Google Scholar
- 5.captcha site.: http://www.captcha.net/
- 6.Chellapilla, K., Simard, P.Y.: Using machine learning to break visual human interaction proofs (hips). In: NIPS (2004)Google Scholar
- 10.Halprin, R.: Dependent captchas: Preventing the relay attack (2009)Google Scholar
- 11.Mori, G., Malik, J.: Recognizing objects in adversarial clutter: breaking a visual captcha. In: Proceedings of 2003 IEEE Computer Society Conference on Computer Vision and Pattern Recognition, vol. 1, pp. I-134–I-141. IEEE Press, Los Alamitos (2003)Google Scholar
- 12.Moy, G., Jones, N., Harkless, C., Potter, R.: Distortion estimation techniques in solving visual captchas. In: Proceedings of the 2004 IEEE Computer Society Conference on Computer Vision and Pattern Recognition, CVPR 2004, vol. 2, pp. II-23–II-28 (2004)Google Scholar
- 13.Boing Boing: Solving and creating captchas with free porn (2004), http://boingboing.net/2004/01/27/solvingandcreating.html
- 14.Inside India’s CAPTCHA solving economy describes (2008), http://blogs.zdnet.com/security/p=1835
- 15.Ahn, L.V., Maurer, B., Mcmillen, C., Abraham, D., Blum, M.: Recaptcha: Human-based character recognition via web security measures. Science, 1160379 (2008)Google Scholar
- 16.Yan, J., Ahmad, A.S.: Breaking visual captchas with naive pattern recognition algorithms. In: 23th Annual Computer Security Applications Conference, pp. 279–291 (2007)Google Scholar