Cybercriminal Bets Users Will Trade Security For Sex

The author of a new Trojan is betting that e-mail users will trade security for sex.

According to security company Trend Micro, new malware is tempting computer users to enter CAPTCHA codes -- the images of letters and numbers used to separate humans from bots -- to remove clothing from the image of a model.

"A nifty little program that Trend Micro detects as TROJ_CAPTCHAR.A disguises itself as a strip-tease game, wherein a scantily clad 'Melissa' agrees to take off a little bit of her clothing," said security researcher Roderick Ordonez on the Trend Micro blog. "However, for her to strut her stuff, users must identify the letters hidden within a CAPTCHA. Input the letters correctly, press 'go,' and 'Melissa' reveals more of herself."

But the CAPTCHA characters that users provide are used to subvert security measures at other Web sites.

Ordonez said that the CAPTCHAs analyzed by Trend Micro were taken from Yahoo's Web site. He speculates that the person or persons behind this may be building a large base of Yahoo accounts, possibly for spamming.

Ordonez notes that this represents a new social engineering technique, but others have observed similar tactics in the past.

In early 2005, a product marketing director at Sendmail said that spammers were getting around challenge-response e-mail systems -- which protect users from spam by asking the sender to respond to a challenge question before delivering the sender's message -- by posting challenge questions on porn sites and offering access to porn in return for an answer to the challenge question, which results in the spam being delivered.