CAPTCHA Phishing: A Practical Attack on Human Interaction Proofing

Kang, Le; Xiang, Ji

doi:10.1007/978-3-642-16342-5_30

Le Kang²⁰ &
Ji Xiang²⁰

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6151))

Included in the following conference series:

International Conference on Information Security and Cryptology

985 Accesses
2 Citations

Abstract

CAPTCHAs are widespread security measures on the World Wide Web that prevent automated programs from massive access. To overcome this obstacle attackers generally utilize artificial intelligence technology, which is not only complicated but also not adaptive enough. This paper addresses on the issue of how to defeat complex CAPTCHAs with a social engineering method named CAPTCHA Phishing instead of AI techniques. We investigated each step of this attack in detail and proposed the most effective way to attack. Then we did experiment with real Internet web sites and obtained a positive results. The countermeasures to prevent this attack are also discussed.

This work is supported by 863 Foundation No.2006AA01Z454, and NSF No.70890084/G021102.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Asirra: a captcha that exploits interest-aligned manual image categorization. In: 14th ACM Conference on Computer and Communications Security, pp. 366–374. ACM Press, New York (2007)
Google Scholar
Ahn, L.V., Blum, M., Langford, J.: Telling humans and computers apart automatically. Commun. 47(2), 56–60 (2004)
Google Scholar
Badra, M., El-Sawda, S., Hajjeh, I.: Phishing attacks and solutions. In: 3rd International Conference on Mobile Multimedia Communications, ICST, Brussels, Belgium, pp. 1–6 (2007)
Google Scholar
Caine, A., Hengartner, U.: The ai hardness of captchas does not imply robust network security, pp. 367–382 (2007)
Google Scholar
captcha site.: http://www.captcha.net/
Chellapilla, K., Simard, P.Y.: Using machine learning to break visual human interaction proofs (hips). In: NIPS (2004)
Google Scholar
Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: SIGCHI Conference on Human Factors in Computing Systems, pp. 581–590. ACM Press, New York (2006)
Chapter Google Scholar
Golle, P.: Machine learning attacks against the asirra captcha. In: 15th ACM Conference on Computer and Communications Security, pp. 535–542. ACM Press, New York (2008)
Chapter Google Scholar
Golle, P., Ducheneaut, N.: Keeping bots out of online games. In: 2005 ACM SIGCHI International Conference on Advances in Computer Entertainment Technology, pp. 262–265. ACM Press, New York (2005)
Chapter Google Scholar
Halprin, R.: Dependent captchas: Preventing the relay attack (2009)
Google Scholar
Mori, G., Malik, J.: Recognizing objects in adversarial clutter: breaking a visual captcha. In: Proceedings of 2003 IEEE Computer Society Conference on Computer Vision and Pattern Recognition, vol. 1, pp. I-134–I-141. IEEE Press, Los Alamitos (2003)
Google Scholar
Moy, G., Jones, N., Harkless, C., Potter, R.: Distortion estimation techniques in solving visual captchas. In: Proceedings of the 2004 IEEE Computer Society Conference on Computer Vision and Pattern Recognition, CVPR 2004, vol. 2, pp. II-23–II-28 (2004)
Google Scholar
Boing Boing: Solving and creating captchas with free porn (2004), http://boingboing.net/2004/01/27/solvingandcreating.html
Inside India’s CAPTCHA solving economy describes (2008), http://blogs.zdnet.com/security/p=1835
Ahn, L.V., Maurer, B., Mcmillen, C., Abraham, D., Blum, M.: Recaptcha: Human-based character recognition via web security measures. Science, 1160379 (2008)
Google Scholar
Yan, J., Ahmad, A.S.: Breaking visual captchas with naive pattern recognition algorithms. In: 23th Annual Computer Security Applications Conference, pp. 279–291 (2007)
Google Scholar
Yan, J., Ahmad, A.S.: A low-cost attack on a microsoft captcha. In: 15th ACM Conference on Computer and Communications Security, pp. 543–554. ACM, New York (2008)
Chapter Google Scholar

Download references

Author information

Authors and Affiliations

State Key Laboratory of Information Security, Chinese Academy of Science, Yuquan road, 19A, Beijing, China
Le Kang & Ji Xiang

Authors

Le Kang
View author publications
You can also search for this author in PubMed Google Scholar
Ji Xiang
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Institute for Infocomm Research, Singapore
Feng Bao
Google Inc. and Computer Science Department, Columbia University, Room 464, S.W. Mudd Building, 10027, New York, NY, USA
Moti Yung
Institute of Software, SKLOIS, Chinese Academy of Sciences, 100190, Beijing, China
Dongdai Lin
SKLOIS, Graduate University of Chinese Academy of Sciences, 19A Yuquan Road, 100049, Beijing, China
Jiwu Jing

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Kang, L., Xiang, J. (2010). CAPTCHA Phishing: A Practical Attack on Human Interaction Proofing. In: Bao, F., Yung, M., Lin, D., Jing, J. (eds) Information Security and Cryptology. Inscrypt 2009. Lecture Notes in Computer Science, vol 6151. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-16342-5_30

Download citation

DOI: https://doi.org/10.1007/978-3-642-16342-5_30
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-16341-8
Online ISBN: 978-3-642-16342-5
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics