scispace - formally typeset
Search or ask a question
Proceedings ArticleDOI

Tell Me About Yourself: The Malicious CAPTCHA Attack

TL;DR: The malicious CAPTCHA attack is presented, allowing a rogue website to trick users into unknowingly disclosing their private information, which includes name, phone number, email and physical addresses, search history, preferences, partial credit card numbers, and more.
Abstract: We present the malicious CAPTCHA attack, allowing a rogue website to trick users into unknowingly disclosing their private information. The rogue site displays the private information to the user in obfuscated manner, as if it is a CAPTCHA challenge; the user is unaware that solving the CAPTCHA, results in disclosing private information. This circumvents the Same Origin Policy (SOP), whose goal is to prevent access by rogue sites to private information, by exploiting the fact that many websites allow display of private information (to the user), upon requests from any (even rogue) website. Information so disclosed includes name, phone number, email and physical addresses, search history, preferences, partial credit card numbers, and more. The vulnerability is common and the attack works for many popular sites, including nine out of the ten most popular websites. We evaluated the attack using IRB-approved, ethical user experiments.
Citations
More filters
Journal ArticleDOI
TL;DR: A systematic, comprehensive and easy-to-follow review of the past and current phishing approaches is presented here and will give a better understanding of the characteristics of the existing phishing techniques which then acts as a stepping stone to the development of a holistic anti-phishing system.
Abstract: Phishing was a threat in the cyber world a couple of decades ago and still is today. It has grown and evolved over the years as phishers are getting creative in planning and executing the attacks. Thus, there is a need for a review of the past and current phishing approaches. A systematic, comprehensive and easy-to-follow review of these approaches is presented here. The relevant mediums and vectors of these approaches are identified for each approach. The medium is the platform which the approaches reside and the vector is the means of propagation utilised by the phisher to deploy the attack. The paper focuses primarily on the detailed discussion of these approaches. The combination of these approaches that the phishers utilised in conducting their phishing attacks is also discussed. This review will give a better understanding of the characteristics of the existing phishing techniques which then acts as a stepping stone to the development of a holistic anti-phishing system. This review creates awareness of these phishing techniques and encourages the practice of phishing prevention among the readers. Furthermore, this review will gear the research direction through the types of phishing, while also allowing the identification of areas where the anti-phishing effort is lacking. This review will benefit not only the developers of anti-phishing techniques but the policy makers as well.

182 citations

Journal ArticleDOI
TL;DR: The aims of this paper are to build awareness of phishing techniques, educate individuals about these attacks, and encourage the use ofphishing prevention techniques, in addition to encouraging discourse among the professional community about this topic.
Abstract: Phishing attacks, which have existed for several decades and continue to be a major problem today, constitute a severe threat in the cyber world. Attackers are adopting multiple new and creative methods through which to conduct phishing attacks, which are growing rapidly. Therefore, there is a need to conduct a comprehensive review of past and current phishing approaches. In this paper, a review of the approaches used during phishing attacks is presented. This paper comprises a literature review, followed by a comprehensive examination of the characteristics of the existing classic, modern, and cutting-edge phishing attack techniques. The aims of this paper are to build awareness of phishing techniques, educate individuals about these attacks, and encourage the use of phishing prevention techniques, in addition to encouraging discourse among the professional community about this topic.

70 citations

Proceedings ArticleDOI
22 May 2017
TL;DR: The password reset MitM (PRMitM) attack is presented and how it can be used to take over user accounts and a list of recommendations for implementing and auditing the password reset process is presented.
Abstract: We present the password reset MitM (PRMitM) attack and show how it can be used to take over user accounts. The PRMitM attack exploits the similarity of the registration and password reset processes to launch a man in the middle (MitM) attack at the application level. The attacker initiates a password reset process with a website and forwards every challenge to the victim who either wishes to register in the attacking site or to access a particular resource on it. The attack has several variants, including exploitation of a password reset process that relies on the victim's mobile phone, using either SMS or phone call. We evaluated the PRMitM attacks on Google and Facebook users in several experiments, and found that their password reset process is vulnerable to the PRMitM attack. Other websites and some popular mobile applications are vulnerable as well. Although solutions seem trivial in some cases, our experiments show that the straightforward solutions are not as effective as expected. We designed and evaluated two secure password reset processes and evaluated them on users of Google and Facebook. Our results indicate a significant improvement in the security. Since millions of accounts are currently vulnerable to the PRMitM attack, we also present a list of recommendations for implementing and auditing the password reset process.

36 citations


Cites background from "Tell Me About Yourself: The Malicio..."

  • ...When a user initiates a registration process in the attacker’s website, the attacker either asks the user to identify herself with her email address or launches another cross-site attack to extract it [14]–[18]....

    [...]

  • ...For some websites, the attacker may be able to use crosssite attacks such as cross-site scripting [14], cross-site script inclusion [17], or newer techniques [18], [19] to gather details about the user....

    [...]

  • ...[16], [18] users must also be authenticated to the attacked website....

    [...]

Posted Content
TL;DR: An efficient and simple end-to-end attack method based on cycle-consistent generative adversarial networks that efficiently cracked the CAPTCHA schemes deployed by 10 popular websites is proposed.
Abstract: As a widely deployed security scheme, text-based CAPTCHAs have become more and more difficult to resist machine learning-based attacks. So far, many researchers have conducted attacking research on text-based CAPTCHAs deployed by different companies (such as Microsoft, Amazon, and Apple) and achieved certain results.However, most of these attacks have some shortcomings, such as poor portability of attack methods, requiring a series of data preprocessing steps, and relying on large amounts of labeled CAPTCHAs. In this paper, we propose an efficient and simple end-to-end attack method based on cycle-consistent generative adversarial networks. Compared with previous studies, our method greatly reduces the cost of data labeling. In addition, this method has high portability. It can attack common text-based CAPTCHA schemes only by modifying a few configuration parameters, which makes the attack easier. Firstly, we train CAPTCHA synthesizers based on the cycle-GAN to generate some fake samples. Basic recognizers based on the convolutional recurrent neural network are trained with the fake data. Subsequently, an active transfer learning method is employed to optimize the basic recognizer utilizing tiny amounts of labeled real-world CAPTCHA samples. Our approach efficiently cracked the CAPTCHA schemes deployed by 10 popular websites, indicating that our attack is likely very general. Additionally, we analyzed the current most popular anti-recognition mechanisms. The results show that the combination of more anti-recognition mechanisms can improve the security of CAPTCHA, but the improvement is limited. Conversely, generating more complex CAPTCHAs may cost more resources and reduce the availability of CAPTCHAs.

15 citations


Cites background from "Tell Me About Yourself: The Malicio..."

  • ...Therefore, researchers have proposed a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) mechanism to generate a test for the computer to confirm whether the remote user is human automatically [3]....

    [...]

Journal ArticleDOI
27 Mar 2017
TL;DR: The making of history of technology is in itself a challenge, but making Internet history is a goal that is likely to be overly ambitious, given the breadth and complexity of such a technological artefact and of social relations that it entails as discussed by the authors.
Abstract: The making of history of technology is in itself a challenge, but making Internet history is a goal that is likely to be overly ambitious, given the breadth and complexity of such a technological artefact and of social relations that it entails One way to reduce the difficulties presented by this objective is to think in terms of urgent research directions In this short article, I propose eight themes that I think are unavoidable for scholars who want to accept the challenge of doing research on the history of the Internet

14 citations

References
More filters
Journal ArticleDOI
12 Sep 2008-Science
TL;DR: This research explored whether human effort can be channeled into a useful purpose: helping to digitize old printed material by asking users to decipher scanned words from books that computerized optical character recognition failed to recognize.
Abstract: CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) are widespread security measures on the World Wide Web that prevent automated programs from abusing online services. They do so by asking humans to perform a task that computers cannot yet perform, such as deciphering distorted characters. Our research explored whether such human effort can be channeled into a useful purpose: helping to digitize old printed material by asking users to decipher scanned words from books that computerized optical character recognition failed to recognize. We showed that this method can transcribe text with a word accuracy exceeding 99%, matching the guarantee of professional human transcribers. Our apparatus is deployed in more than 40,000 Web sites and has transcribed over 440 million words.

1,155 citations


"Tell Me About Yourself: The Malicio..." refers methods in this paper

  • ...In addition to its basic graphical layout and design that was based on the popular reCAPTCHA [27], our CAPTCHA implementation differed...

    [...]

  • ...The ReCAPTCHA project [27] used the text challenge to include images of words that optical character recognition...

    [...]

Journal ArticleDOI
TL;DR: Sometimes a "friendly" email message tempts recipients to reveal more online than they otherwise would, playing right into the sender's hand.
Abstract: Sometimes a "friendly" email message tempts recipients to reveal more online than they otherwise would, playing right into the sender's hand.

995 citations

Proceedings ArticleDOI
08 May 2007
TL;DR: It is shown that the time web sites take to respond to HTTP requests can leak private information, using two different types of attacks: direct timing and cross-site timing.
Abstract: We show that the time web sites take to respond to HTTP requests can leak private information, using two different types of attacks. The first, direct timing, directly measures response times from a web site to expose private information such as validity of an username at a secured site or the number of private photos in a publicly viewable gallery. The second, cross-site timing, enables a malicious web site to obtain information from the user's perspective at another site. For example, a malicious site can learn if the user is currently logged in at a victim site and, in some cases, the number of objects in the user's shopping cart. Our experiments suggest that these timing vulnerabilities are wide-spread. We explain in detail how and why these attacks work, and discuss methods for writing web application code that resists these attacks.

176 citations


Additional excerpts

  • ...known cross-site login detection techniques [6,13,20,26]....

    [...]

Proceedings Article
08 Aug 2012
TL;DR: A new defense, InContext, is proposed, in which web sites mark UI elements that are sensitive, and browsers enforce context integrity of user actions on these sensitive UI elements, ensuring that a user sees everything she should see before her action and that the timing of the action corresponds to her intent.
Abstract: Clickjacking attacks are an emerging threat on the web. In this paper, we design new clickjacking attack variants using existing techniques and demonstrate that existing clickjacking defenses are insufficient. Our attacks show that clickjacking can cause severe damages, including compromising a user's private webcam, email or other private data, and web surfing anonymity. We observe the root cause of clickjacking is that an attacker application presents a sensitive UI element of a target application out of context to a user (such as hiding the sensitive UI by making it transparent), and hence the user is tricked to act out of context. To address this root cause, we propose a new defense, InContext, in which web sites (or applications) mark UI elements that are sensitive, and browsers (or OSes) enforce context integrity of user actions on these sensitive UI elements, ensuring that a user sees everything she should see before her action and that the timing of the action corresponds to her intent. We have conducted user studies on Amazon Mechanical Turk with 2064 participants to evaluate the effectiveness of our attacks and our defense. We show that our attacks have success rates ranging from 43% to 98%, and our InContext defense can be very effective against the clickjacking attacks in which the use of clickjacking is more effective than social engineering.

159 citations


Additional excerpts

  • ...This motivated other defenses against clickjacking [1, 3, 17]....

    [...]

30 Apr 2010
TL;DR: This work studies frame busting practices for the Alexa Top-500 sites and shows that all can be circumvented in one way or another.
Abstract: Web framing attacks such as clickjacking use iframes to hijack a user’s web session. The most common defense, called frame busting, prevents a site from functioning when loaded inside a frame. We study frame busting practices for the Alexa Top-500 sites and show that all can be circumvented in one way or another. Some circumventions are browser-specific while others work across browsers. We conclude with recommendations for proper frame busting.

159 citations