A virtual stripper named “Melissa” that promises to progressively remove items of clothing for viewers who solve online CAPTCHAs is actually part of a scheme by spammers to crack web site registration traps meant to keep them out, reported security researchers this week.
Every time a user correctly enters the text on a CAPTCHA, the user is rewarded by Melissa removing another item of clothing. The catch is that the CAPTCHAs are being fed from real services, like Yahoo! Mail’s signup process. So users looking for a free skin show are actually helping spammers and scammers thwart online security measures that usually keep their robots out.
“They’re using human beings in semi-real time to translate CAPTCHAs by proxy,” Paul Ferguson, a network architect at Trend Micro, told IDG News. “You have to give them this, it’s clever.” Certainly it is. Human intelligence has often been used in this way to solve problems that computers struggle with. We’ve previously reported on the reCAPTCHA system (here), which uses the spam-fighting images to digitize books, and on GalaxyZoo (here), which utilizes human input to identify and categorize galaxies.
According to Trend Micro, the Melissa striptease is part of a Trojan called CAPTCHA.a (Symantec calls it Captchar.a) that attacks Windows PCs. This isn’t the first time spammers have employed humans to try to crack CAPTCHAs, said Trend Micro. “Work-at-home money mule schemes run by criminals have hired people to do this same thing,” Ferguson told IDG. “They’re told to log on to this Web page and type the CAPTCHA. They have a quota.”
For now the threat appears to be benign — used only to register free email accounts to flood chat rooms with unsolicited marketing pitches — but there is a worry among security researchers that the same technique could be used for something more diabolic, like breaking into financial institution web sites.