Sometimes, when we speak about social engineering, we think about people at the other side of the phone trying to get our passwords to gain unauthorized access to our accounts. When this data is in their hands, panic spreads: intrusion on companies, espionage, identity theft…all the classic goals of this kind of attacks.

But let’s not forget the underlying reason of social engineering. Therefore, I particularly like the following definition, which I think is the essence of these attacks: “the art and science of getting people to comply with your wishes”.

Under the premise of this thinking, this week at PandaLabs we have discovered a new way to apply this concept. It is very simple and pleasant. You receive a small application on your desktop that shows a woman offering you a striptease.

Melissa

How can we take off this woman’s clothes? Just typing a few letters displayed next to the girl as we can see in the following image:

Melissa

Melissa

Hmmm, can you recognise this kind of image? Yes, it’s a captcha (Completely Automated Public Turing Test to Tell Computers and Humans Apart) image. Now, look at yourself, you are a human automated captcha reader. If you type the correct interpretation of the image, you are sending the information necessary to break the protection of the targeted site. This attack could be used to create massive mail accounts, for comment posting… for all the services that use captchas to authenticate a person instead of a computer. In this particular case, the captchas were from Yahoo.


A sample of this client side application is detected as Trj/RompeCaptchas.A, whose translation is Captcha Breaker.

Thanks a lot to Unai Fernández & Francisco Berenguer for this post.