Historical review of OCR research and development
Document image analysis
Telling humans and computers apart automatically
Communications of the ACM - Information cities
Designing ethical phishing experiments: a study of (ROT13) rOnl query features
Proceedings of the 15th international conference on World Wide Web
Adversarial information retrieval on the web (AIRWeb 2006)
ACM SIGIR Forum
Asirra: a CAPTCHA that exploits interest-aligned manual image categorization
Proceedings of the 14th ACM conference on Computer and communications security
IEEE Security and Privacy
Why and How to Perform Fraud Experiments
IEEE Security and Privacy
Proceedings of the 9th workshop on Mobile computing systems and applications
Machine learning attacks against the Asirra CAPTCHA
Proceedings of the 15th ACM conference on Computer and communications security
A low-cost attack on a Microsoft captcha
Proceedings of the 15th ACM conference on Computer and communications security
All your contacts are belong to us: automated identity theft attacks on social networks
Proceedings of the 18th international conference on World wide web
CAPTCHA: using hard AI problems for security
EUROCRYPT'03 Proceedings of the 22nd international conference on Theory and applications of cryptographic techniques
Recognizing objects in adversarial clutter: breaking a visual captcha
CVPR'03 Proceedings of the 2003 IEEE computer society conference on Computer vision and pattern recognition
News: Humans + porn = solved Captcha
Network Security
Re: CAPTCHAs: understanding CAPTCHA-solving services in an economic context
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
The socialbot network: when bots socialize for fame and money
Proceedings of the 27th Annual Computer Security Applications Conference
Security and usability challenges of moving-object CAPTCHAs: decoding codewords in motion
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Proceedings of the CUBE International Information Technology Conference
Design and analysis of a social botnet
Computer Networks: The International Journal of Computer and Telecommunications Networking
| Hi-index | 0.00 |
CAPTCHAs protect online resources and services from automated access. From an attacker's point of view, they are typically perceived as an annoyance that prevents the mass creation of accounts or the automated posting of messages. Hence, miscreants strive to effectively bypass these protection mechanisms, using techniques such as optical character recognition or machine learning. However, as CAPTCHA systems evolve, they become more resilient against automated analysis approaches. In this paper, we introduce and evaluate an attack that we denote as CAPTCHA smuggling. To perform CAPTCHA smuggling, the attacker slips CAPTCHA challenges into the web browsing sessions of unsuspecting victims, misusing their ability to solve these challenges. A key point of our attack is that the CAPTCHAs are surreptitiously injected into interactions with benign web applications (such as web mail or social networking sites). As a result, they are perceived as a normal part of the application and raise no suspicion. Our evaluation, based on realistic user experiments, shows that CAPTCHA smuggling attacks are feasible in practice.