12 December 2007 - 7:55Striptease - An Inventive Method of Decoding CAPTCHA Images

Malware authors who are sick and tired have discovered an inventive new method of decoding CAPTCHA images from legitimate sites by using a striptease. The striptease game has been identified by Trend Micro as TROJ_CAPTCHAR.A.

Players receive “assistance” with decoding by entering the hidden letters with the CAPTCHA or Completely Automated Public Turing test to tell Computers and Humans Apart. Whenever a player guesses correctly, more clothing is removed from photos of a woman named “Melissa.”

Trend Micro believes that the CAPTCHAs were taken as a result of a storehouse of Yahoo account information, likely used for spamming.

CAPTCHAs distinguish human users from automated processes, and they were initially used to guard against automated software such as spam generators and bots. They prevent automated postings to forums and blogs and minimize the spamming of webmail services. Visitors decipher specific alphanumeric characters that are embedded in an image that machines can’t read. However, they are not foolproof; Optical Character Recognition can foil the tests.

Roderick Ordoñez of TrendLabs addressed this recent CAPTCHA ploy stating: “Some people are really hooked up on defeating the CAPTCHA, and they are literally asking for public help, in a rather discreet—and, um, provocative—manner.”

The striptease players enter answers which are then route to a remote server. At this point, another user matches the actual code for a given CAPTCHA displayed on Yahoo’s site.

For all the latest news and reviews regarding security coverage, be sure to visit eWEEK.com’s Security Center or eWEEK’s Security Watch blog.