Search This Blog

Showing posts with label CAPTCHA Security. Show all posts

Hackers hiding malware behind Captcha

Hackers are hiding malware inside the Captcha to evade email security gateways. This technique helps attackers in establishing the authencity of the email. 

There are various social engineering methods that are used by the hackers in tricking users to believe them. 

A new email campaign using an email id, alerts recipients that they received a voice message.  The voice attached with a preview tempts users to listen to the full message.

The email contains a play button, which directs users to the page that contains captcha, this step is to bypass the automated analysis tools and to bypass secure email gateways.

The malicious page asks users to select a Microsoft account to log in when the victim login all their credentials are captured.

“Both pages are legitimate Microsoft top-level domains, so when checking these against domain reputation databases we receive a false negative and the pages come back as safe,” reads Cofense report.

Before clicking on any link attached to the email, the user should investigate that the website is safe or not. 

Trojan bypasses captcha to dupe users

A new malware targeting android users have been identified which has the power to bypass user verifications to subscribe people into premium services.
The malware, identified as Trojan-SMS.AndroidOS.Podec can bypass captcha verification or advice of charge (this notifies users regarding charges and seeks payment authorization) and send messages to premium numbers or subscribe users to premium rate services.
The captcha recognition part is what makes this Trojan so devious, the malware communicates with an image to text translation provider called Antigate where a human translates the image for the captcha to text and relays it. The text is then inserted into the actions field, the verification thus happens without user consent and can be exploited to extort money regularly in a covert fashion. The users would have a hard time pointing the source for deduction in accounts.
Till now, it has been circulating in Russia and its neighbouring countries with the infection originating from servers of popular Russian networking site VKontakte or domains with imposing names like,, etc.
The malware is mostly spread through a number of groups on the social networks, all of which makes posts or give links providing cracked versions of popular android games. These groups are similarly managed with the same administrator.
The usage of keywords in descriptions of the groups, hosting of  fake sites all which are based on one idea places the group or sites at top of search results, indicating involvement of black SEO specialists.
Kaspersky Lab's analysts analysed the Trojan which in one case was masquerading as 'Minecraft Pocket Edition'. It operates on the notion that the users are guided by the lightness of the app to download it.
On launch, the application asks for administrator privileges, which if granted makes it impossible to be deleted by the user or a security solution. If the user rejects the request, the Trojan is repeated till privilege is granted. After receiving administrator privileges, the legitimate mine craft is downloaded. After installation the Trojan removes its own shortcuts, replaces it with the Minecraft shortcut and erases traces from the device administrator list. If somehow the users try to delete it, the mobile shuts down or screen locks or shows other erratic behaviour. The Trojan has the further potential to exploit super-user privileges, which some users might have.
Analysis of the malware shows diligent effort on the part of the cybercriminals. They have introduced garbage classes and obfuscation into the code and have also used an expensive legitimate code protector to make the access to the source code difficult. Moreover, while communicating for instructions the Trojan uses an adaptive list of control and command domains, thus even if one domain is blocked under suspicion others can be used. 
It is suspected that the Trojan is undergoing further development with newer capabilities being added.
In light of such circumstances as a user it is best to be wary of free services, avoiding suspicious links and downloading only from official sources like Google Playstore.
(For more information visit SecureList.)

CAPTCHA Security On popular sites hacked using Automated Tool

Researchers Elie Bursztein, Matthieu Martin and John C. Mitchel ,from Standford university developed an automated tool that can break the text-based anti spam test used in many popular sites. 

In order to block Spam comments and Automated registration, websites use CAPTCHA Security Test.
For example, whenever you register in forum, it will ask to enter the exact text in the image.  

They tested their tool against 15 popular websites.  13 out of 15 sites are vulnerable to Automated Attack.

Success rate on Visa's payment gateway is 66%. 70% success rate on Blizzard's World of Warcraft portal. Other interesting results were registered on eBay, whose CAPTCHA implementation failed 43% of the time, and on Wikipedia, where one in four attempts was successful. Lower, but still significant, success rates were found on Digg, CNN and Baidu -- 20, 16 and 5% respectively. Meguapload has success rate 93%(highest one).

The only tested sites where CAPTCHAs couldn't be broken were Google and reCAPTCHA.

After these test result come out, and Digg have switched to reCAPTCHA. 

The researchers, Elie Bursztein, Matthieu Martin and John C Mitchel have also developed techniques to break audio CAPTCHAs on sites like Microsoft, eBay, Yahoo and Digg, presented their latest research at the recent ACM Conference On Computer and Communication Security in Chicago.

Download Full report: