Manuel Egele
ABSTRACT
CAPTCHAs protect online resources and services from automated access. From an attacker's point of view, they are typically perceived as an annoyance that prevents the mass creation of accounts or the automated posting of messages. Hence, miscreants strive to effectively bypass these protection mechanisms, using techniques such as optical character recognition or machine learning. However, as CAPTCHA systems evolve, they become more resilient against automated analysis approaches.
In this paper, we introduce and evaluate an attack that we denote as CAPTCHA smuggling. To perform CAPTCHA smuggling, the attacker slips CAPTCHA challenges into the web browsing sessions of unsuspecting victims, misusing their ability to solve these challenges. A key point of our attack is that the CAPTCHAs are surreptitiously injected into interactions with benign web applications (such as web mail or social networking sites). As a result, they are perceived as a normal part of the application and raise no suspicion. Our evaluation, based on realistic user experiments, shows that CAPTCHA smuggling attacks are feasible in practice.
- L. Bilge, T. Strufe, D. Balzarotti, and E. Kirda. All your contacts are belong to us: automated identity theft attacks on social networks. In WWW '09: Proceedings of the 18th international conference on World wide web, pages 551--560, New York, NY, USA, 2009. ACM. Google Scholar
Digital Library
- M. Chew and J. D. Tygar. Image recognition captchas. In Information Security, 7th International Conference, ISC, pages 268--279, 2004.Google Scholar
- R. Chow, P. Golle, M. Jakobsson, L. Wang, and X. Wang. Making captchas clickable. In HotMobile '08: Proceedings of the 9th workshop on Mobile computing systems and applications, pages 91--94, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
- J. Elson, J. R. Douceur, J. Howell, and J. Saul. Asirra: a captcha that exploits interest-aligned manual image categorization. In ACM Conference on Computer and Communications Security, pages 366--374, 2007. Google ScholarDigital Library
- M. Everingham, A. Zisserman, C. K. I. Williams, and L. Van Gool. The PASCAL Visual Object Classes Challenge 2006 (VOC2006) Results. http://www.pascal-network.org/challenges/VOC/voc2006/results.pdf.Google Scholar
- P. Golle. Machine learning attacks against the asirra captcha. In CCS '08: Proceedings of the 15th ACM conference on Computer and communications security, pages 535--542, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
- Heise Online. Cracking Google captchas with porn. http://www.heise.de/english/newsticker/news/113336, 2008.Google Scholar
- M. Jakobsson, P. Finn, and N. Johnson. Why and how to perform fraud experiments. Security & Privacy, IEEE, 6(2):66--68, March--April 2008. Google ScholarDigital Library
- M. Jakobsson and J. Ratkiewicz. Designing ethical phishing experiments: a study of (rot13) ronl query features. In WWW '06: Proceedings of the 15th international conference on World Wide Web, pages 513--522, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
- A. Kolupaev and J. Ogijenko. Captchas: Humans vs. bots. IEEE Security and Privacy, 6(1):68--70, 2008. Google ScholarDigital Library
- G. Mori and J. Malik. Recognizing objects in adversarial clutter: Breaking a visual captcha. In 2003 IEEE Computer Society Conference on Computer Vision and Pattern Recognition (CVPR 2003), 16--22 June 2003, Madison, WI, USA, pages 134--144, 2003. Google ScholarDigital Library
- S. Mori, C. Y. Suen, and K. Yamamoto. Historical review of OCR research and development. Document image analysis, pages 244--273, 1995. Google ScholarDigital Library
- N. Provos. Google online security blog: The reason behind the "we're sorry..." message. http://googleonlinesecurity.blogspot.com/2007/07/reason-behind-were-sorry-message.html, 2007.Google Scholar
- B. Stone. Breaking google captchas for some extra cash. http://bits.blogs.nytimes.com/2008/03/13/breaking-google-captchas-for-3-a-day/, 2008.Google Scholar
- B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna. Your botnet is my botnet: Analysis of a botnet takeover. Technical report, University of California, Santa Barbara, 2009.Google Scholar
- Symantec Corporation. Internet security threat report, volume XIV. http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xiv_04-2009.en-us.pdf, 2009.Google Scholar
- Humans + porn = solved captcha. Network Security, 2007(11):2--2, 2007. Google ScholarDigital Library
- C. M. University. The Official CAPTCHA Site. http://captcha.net.Google Scholar
- L. von Ahn, M. Blum, N. J. Hopper, and J. Langford. Captcha: Using hard ai problems for security. In EUROCRYPT, pages 294--311, 2003. Google ScholarDigital Library
- L. von Ahn, M. Blum, and J. Langford. Telling humans and computers apart automatically. Commun. ACM, 47(2):56--60, 2004. Google ScholarDigital Library
- L. von Ahn, B. Maurer, C. McMillen, D. Abraham, and M. Blum. reCAPTCHA: Human-Based Character Recognition via Web Security Measures. Science, September 2008.Google Scholar
- Websense. Microsoft live hotmail under attack by streamlined anti-captcha and mass-mailing operations. http://securitylabs.websense.com/content/Blogs/3063.aspx, 2008.Google Scholar
- B. Wu and B. Davison. Cloaking and Redirection: A Preliminary Study. In Adversarial Information Retrieval on the Web, 2005. Google ScholarDigital Library
- J. Yan and A. S. El Ahmad. A low-cost attack on a microsoft captcha. In CCS '08: Proceedings of the 15th ACM conference on Computer and communications security, pages 543--554, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
Index Terms
- CAPTCHA smuggling: hijacking web browsing sessions to create CAPTCHA farms
Recommendations
DDIM-CAPTCHA: A Novel Drag-n-Drop Interactive Masking CAPTCHA against the Third Party Human Attacks
TAAI '13: Proceedings of the 2013 Conference on Technologies and Applications of Artificial IntelligenceA CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a security mechanism that can be used to distinguish between humans and machines. Most existing CAPTCHA systems are vulnerable against a so-called "third party ...
Pitfalls in CAPTCHA design and implementation: The Math CAPTCHA, a case study
We present a black-box attack against an already deployed CAPTCHA that aims to protect a free service delivered using the Internet. This CAPTCHA, referred to as ''Math CAPTCHA'' or ''QRBGS CAPTCHA'', requests the user to solve a mathematical problem in ...
A computer vision attack on the ARTiFACIAL CAPTCHA
Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) is a reverse Turing test that is used to differentiate bots from humans. Text CAPTCHAs have been widely used in commercial applications, but most of the text CAPTCHAs ...
Comments