If you've been on the internet for a while you are probably familiar with 'Turing tests' on various websites: little challenges to prove you are an actual human interacting with a site and not a bot intent on spamming a comment form or on the prowl for personal data. Most of these puzzles take the form of a sequence of blurred letters and/or numbers that have to be correctly identified as this is something humans are (still) a lot better at than computers.
Such a test is often called a CAPTCHA, which the official CAPTCHA site used to define as:
The term CAPTCHA (for Completely Automated Public Turing Test To Tell Computers and Humans Apart) was coined in 2000 by Luis von Ahn, Manuel Blum, Nicholas Hopper and John Langford of Carnegie Mellon University.
In recent years one of the more popular CAPTCHA systems in use has been Google's reCAPTCHA, which uses several advanced techniques to pre-screen website visitors before deciding which test to show them. A first time visitor coming from a suspicious IP address with an unknown browser is much more likely to be challenged with a somewhat difficult puzzle as opposed to a return visitor coming from a known 'good' IP address. The net result of this is that 'trustworthy' visitors usually get presented with this very simple challenge by the reCAPTCHA system: simply tick the box.
Analyzing mouse movements in combination with the other cues is usually enough proof for the system to accept users are human. And in case of doubt the system simply throws up a more difficult additional challenge.
In practice this is more than enough to keep out most bots, although there are exceptions as this video proves:
But joking aside: one side-effect of the popularity of reCAPTCHA is that users have gotten used to mindlessly clicking the checkbox if they want to access 'protected' features of a website. And now scammers are abusing this learned behaviour.
Back in March 2017 we first reported about a celebrity death hoax involving British actor Rowan Atkinson (a.k.a. Mr. Bean), followed a few months later by a second one and then over the summer another one involving Dwayne "The Rock" Johnson. All three hoaxes involved website visitors being lured in via Facebook posts to watch a video which would cut out after two seconds after which a prompt followed to share the video to continue watching. The actual URL being shared was varied slightly each time in order to mislead Facebook's anti-spam measures. And of course the videos turned out to be fake and the websites on which they were hosted were filled to the brim with popup ads and other nasty forms of advertising.
And now it seems the same people are back with a new scammy website. Only instead of using a fake death they have now jumped on an existing viral media bandwagon by coopting the "Fire Noodle Challenge" which was a social media phenomenon in 2015 originally hailing from Korea. According to Wikipedia:
Buldak Bokkeum Myeon became famous due to the Fire Noodle Challenge, a viral challenge where people film themselves attempting to complete a bowl of Buldak Bokkeum Myeon.
The article/website the hoaxers are spreading (archived here) appears to promote one of the many 'spicy noodle challenge' videos out there on YouTube but guess what pops up after two seconds of watching:
Indeed: a fake McAfee message and a fake reCAPTCHA checkbox. Clicking either one (or the Facebook sharing button) brings up a Facebook share dialog to share a version of the video on a slightly modified URL along with the hashtag #BewareOfKillerSpicyNoddles. And yes, there are lots of ads popping up all over the place.
So is this fake news? Not really. But definitely a deceptive way to get more shares/likes out of a video in order to make money from advertising. And the first time I've seen user familiarity with Google's reCAPTCHA being abused in this way.
What will they think of next?
