On Wed, Jul 28, 2010 at 14:15, Brion Vibber <brion(a)pobox.com> wrote:
There are service firms
that simply employ lots of people to type in captchas on your spambot's
behalf.
A number of porn sites work this way. When someone tries to access
the freebie section of a porn site, they see a captcha. It's copied
from the site they are trying to attack. The attack is conducted live
as the porn site user tries to get in. That user types the captcha
content which is passed along to the attacked site. The attack is
successful and the porn viewer gets a little reward. It works because
the attack is made when a user is available, so the captcha usually
will not expire in that short time frame. As long as the people doing
the attack understand the security mechanism of the target site, they
can replicate it on their porn site and get other humans to do it for
them, for a little reward.
Defeating this can be hard to do. The attacks are usually relayed
through botnets. So all the accesses look like they are just coming
from random home users (and not a bunch from one common IP address).
There is relatively little lag between display of the captcha or
whatever other mechanism is used, and the response of that user, so it
looks like normal timing from a human (because it really is).
Anyway, people don't need to be employed to do this. There are lots
of hormone starved teenagers willing, for a little reward.
--
sHiFt HaPpEnS!