Advertisement

CAPTCHA Phishing: A Practical Attack on Human Interaction Proofing

  • Le Kang
  • Ji Xiang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6151)

Abstract

CAPTCHAs are widespread security measures on the World Wide Web that prevent automated programs from massive access. To overcome this obstacle attackers generally utilize artificial intelligence technology, which is not only complicated but also not adaptive enough. This paper addresses on the issue of how to defeat complex CAPTCHAs with a social engineering method named CAPTCHA Phishing instead of AI techniques. We investigated each step of this attack in detail and proposed the most effective way to attack. Then we did experiment with real Internet web sites and obtained a positive results. The countermeasures to prevent this attack are also discussed.

Keywords

CAPTCHA phishing 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Asirra: a captcha that exploits interest-aligned manual image categorization. In: 14th ACM Conference on Computer and Communications Security, pp. 366–374. ACM Press, New York (2007)Google Scholar
  2. 2.
    Ahn, L.V., Blum, M., Langford, J.: Telling humans and computers apart automatically. Commun. 47(2), 56–60 (2004)Google Scholar
  3. 3.
    Badra, M., El-Sawda, S., Hajjeh, I.: Phishing attacks and solutions. In: 3rd International Conference on Mobile Multimedia Communications, ICST, Brussels, Belgium, pp. 1–6 (2007)Google Scholar
  4. 4.
    Caine, A., Hengartner, U.: The ai hardness of captchas does not imply robust network security, pp. 367–382 (2007)Google Scholar
  5. 5.
    captcha site.: http://www.captcha.net/
  6. 6.
    Chellapilla, K., Simard, P.Y.: Using machine learning to break visual human interaction proofs (hips). In: NIPS (2004)Google Scholar
  7. 7.
    Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: SIGCHI Conference on Human Factors in Computing Systems, pp. 581–590. ACM Press, New York (2006)CrossRefGoogle Scholar
  8. 8.
    Golle, P.: Machine learning attacks against the asirra captcha. In: 15th ACM Conference on Computer and Communications Security, pp. 535–542. ACM Press, New York (2008)CrossRefGoogle Scholar
  9. 9.
    Golle, P., Ducheneaut, N.: Keeping bots out of online games. In: 2005 ACM SIGCHI International Conference on Advances in Computer Entertainment Technology, pp. 262–265. ACM Press, New York (2005)CrossRefGoogle Scholar
  10. 10.
    Halprin, R.: Dependent captchas: Preventing the relay attack (2009)Google Scholar
  11. 11.
    Mori, G., Malik, J.: Recognizing objects in adversarial clutter: breaking a visual captcha. In: Proceedings of 2003 IEEE Computer Society Conference on Computer Vision and Pattern Recognition, vol. 1, pp. I-134–I-141. IEEE Press, Los Alamitos (2003)Google Scholar
  12. 12.
    Moy, G., Jones, N., Harkless, C., Potter, R.: Distortion estimation techniques in solving visual captchas. In: Proceedings of the 2004 IEEE Computer Society Conference on Computer Vision and Pattern Recognition, CVPR 2004, vol. 2, pp. II-23–II-28 (2004)Google Scholar
  13. 13.
    Boing Boing: Solving and creating captchas with free porn (2004), http://boingboing.net/2004/01/27/solvingandcreating.html
  14. 14.
    Inside India’s CAPTCHA solving economy describes (2008), http://blogs.zdnet.com/security/p=1835
  15. 15.
    Ahn, L.V., Maurer, B., Mcmillen, C., Abraham, D., Blum, M.: Recaptcha: Human-based character recognition via web security measures. Science, 1160379 (2008)Google Scholar
  16. 16.
    Yan, J., Ahmad, A.S.: Breaking visual captchas with naive pattern recognition algorithms. In: 23th Annual Computer Security Applications Conference, pp. 279–291 (2007)Google Scholar
  17. 17.
    Yan, J., Ahmad, A.S.: A low-cost attack on a microsoft captcha. In: 15th ACM Conference on Computer and Communications Security, pp. 543–554. ACM, New York (2008)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Le Kang
    • 1
  • Ji Xiang
    • 1
  1. 1.State Key Laboratory of Information SecurityChinese Academy of ScienceBeijingChina

Personalised recommendations