How the spammers plan to bypass CAPTCHA

[Thorin]

http://www.cbc.ca/technology/story/2007/11/01/tech-captcha-scam.html

The buxom, beautiful blonde who promises to remove her lingerie doesn't want your money. She's interested in your brain. Really.

The creation of online scammers, she's trying to trick unsuspecting internet users into helping the scammers break the online barriers that banks and e-mail services set up to thwart crooks.

The striptease is the latest attempt to defeat so-called CAPTCHA systems, which is short for "completely automated public Turing test to tell computers and humans apart." Those safeguards require users to prove they are human by reading oddly shaped jumbles of letters and numbers that appear in an image and typing them out.

In the new scam, an icon of an alluring woman suddenly appears on a Windows computer infected by a virus. After clicking on the icon, the user sees a photo of the woman who vows to take off an article of clothing each time the jumble of figures next to her is entered.

[..]

Paul Ferguson, network architect at Trend Micro, speculated that spammers might be using the results to write a program to automatically bypass CAPTCHA systems.

"I have to hand it to them," Ferguson said, laughing. "The social engineering aspect here is pretty clever."

[Darren Dirt]

I recall hearing many years ago that the "Turning Test" images were being automated-hacked by simply hijacking the image (thru various means) and pasting that image onto [usually] "adult" sites to get unwitting "visitors" to manually enter in the values for the hackers... Not sure how the correct answers would get back to the hacker so that the automated system would then enter it on the REAL site, but I did hear of it generally, and was immediately surprised at how simple the very idea was.

I guess it's like the "make an applicatrion/interface idiot-proof, and they build a better idiot" type of cat-and-mouse game

[Shayne]

Captcha is just like copy-protection.  The honest people suffer the most

The best Captcha system I have seen logged mouse movement.  If you got a mouse moving around the screen then you're not a bot sending out HTTP POSTs.

[Darren Dirt]

True... and that would use client-side Javascript, I presume?

If so, just make your
<input type="submit">
a
<input type="button" onclick="[your action code here]"
or better yet, <a href="#" onclick="[action]">text link</a>

or heck, the best:
document.write('<a href="#" onclick="[action]">text link</a>...')

Then a bot would have to have not only a Javascript parser to interpret how to get to the "submission" page, but a human being who understands where/how the click/submit event takes place


*bonus: make the form have no 'action=...' URL, so the Javascript "action code" actual sets document.forms[0].action="destination URL here". This would even prevent "document.forms[0].submit()" from working -- your "validation" code would have to run and pass and set form.action to the proper destination.

[Shayne]

Yup.  Another way of doing it is to have a form field on the page that is hidden through javascript and if the form gets submitted with a value in that form field then it was a spambot of sorts.  I've also seen simple questions like "What is 2 + 3 - 1?" instead of a normal CAPTCHA image.

[Darren Dirt]

Another way of doing it is to have a form field on the page that is hidden through javascript and if the form gets submitted with a value in that form field then it was a spambot of sorts.

Ooo -- that's like my idea of having a "non-existent" form.action as a default, then changing it after a human does something. But your idea is even simpler, and thus more sneaky