Abstract
CAPTCHAs are widespread security measures on the World Wide Web that prevent automated programs from massive access. To overcome this obstacle attackers generally utilize artificial intelligence technology, which is not only complicated but also not adaptive enough. This paper addresses on the issue of how to defeat complex CAPTCHAs with a social engineering method named CAPTCHA Phishing instead of AI techniques. We investigated each step of this attack in detail and proposed the most effective way to attack. Then we did experiment with real Internet web sites and obtained a positive results. The countermeasures to prevent this attack are also discussed.
This work is supported by 863 Foundation No.2006AA01Z454, and NSF No.70890084/G021102.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Asirra: a captcha that exploits interest-aligned manual image categorization. In: 14th ACM Conference on Computer and Communications Security, pp. 366–374. ACM Press, New York (2007)
Ahn, L.V., Blum, M., Langford, J.: Telling humans and computers apart automatically. Commun. 47(2), 56–60 (2004)
Badra, M., El-Sawda, S., Hajjeh, I.: Phishing attacks and solutions. In: 3rd International Conference on Mobile Multimedia Communications, ICST, Brussels, Belgium, pp. 1–6 (2007)
Caine, A., Hengartner, U.: The ai hardness of captchas does not imply robust network security, pp. 367–382 (2007)
captcha site.: http://www.captcha.net/
Chellapilla, K., Simard, P.Y.: Using machine learning to break visual human interaction proofs (hips). In: NIPS (2004)
Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: SIGCHI Conference on Human Factors in Computing Systems, pp. 581–590. ACM Press, New York (2006)
Golle, P.: Machine learning attacks against the asirra captcha. In: 15th ACM Conference on Computer and Communications Security, pp. 535–542. ACM Press, New York (2008)
Golle, P., Ducheneaut, N.: Keeping bots out of online games. In: 2005 ACM SIGCHI International Conference on Advances in Computer Entertainment Technology, pp. 262–265. ACM Press, New York (2005)
Halprin, R.: Dependent captchas: Preventing the relay attack (2009)
Mori, G., Malik, J.: Recognizing objects in adversarial clutter: breaking a visual captcha. In: Proceedings of 2003 IEEE Computer Society Conference on Computer Vision and Pattern Recognition, vol. 1, pp. I-134–I-141. IEEE Press, Los Alamitos (2003)
Moy, G., Jones, N., Harkless, C., Potter, R.: Distortion estimation techniques in solving visual captchas. In: Proceedings of the 2004 IEEE Computer Society Conference on Computer Vision and Pattern Recognition, CVPR 2004, vol. 2, pp. II-23–II-28 (2004)
Boing Boing: Solving and creating captchas with free porn (2004), http://boingboing.net/2004/01/27/solvingandcreating.html
Inside India’s CAPTCHA solving economy describes (2008), http://blogs.zdnet.com/security/p=1835
Ahn, L.V., Maurer, B., Mcmillen, C., Abraham, D., Blum, M.: Recaptcha: Human-based character recognition via web security measures. Science, 1160379 (2008)
Yan, J., Ahmad, A.S.: Breaking visual captchas with naive pattern recognition algorithms. In: 23th Annual Computer Security Applications Conference, pp. 279–291 (2007)
Yan, J., Ahmad, A.S.: A low-cost attack on a microsoft captcha. In: 15th ACM Conference on Computer and Communications Security, pp. 543–554. ACM, New York (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kang, L., Xiang, J. (2010). CAPTCHA Phishing: A Practical Attack on Human Interaction Proofing. In: Bao, F., Yung, M., Lin, D., Jing, J. (eds) Information Security and Cryptology. Inscrypt 2009. Lecture Notes in Computer Science, vol 6151. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-16342-5_30
Download citation
DOI: https://doi.org/10.1007/978-3-642-16342-5_30
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-16341-8
Online ISBN: 978-3-642-16342-5
eBook Packages: Computer ScienceComputer Science (R0)