Spammers' bot cracks Microsoft's CAPTCHA
Bot beats Windows Live Mail's registration test 30% to 35% of the time, says Websense
Computerworld - Spammers are using a bot to sidestep barriers that Microsoft Corp. has erected to keep scammers from creating massive numbers of accounts on its Live Mail service, a security researcher said today.
Dan Hubbard, vice president of security research at Websense Inc., said the bot was designed to break CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) defenses, the distorted, scrambled character codes that many Web services use to block automated registration of hundreds or thousands of accounts at a time.
The bot, said Hubbard, grabs the CAPTCHA -- which is not plain text but actually an image -- and sends it back to the spammer's server, where the image is somehow "read" and a clear text match is generated. The text is then sent back to Live Mail, where it's plugged into the box where users normally type the CAPTCHA characters.
On average, the bot returns the correct response 30% to 35% of the time and successfully creates an account, Hubbard claimed.
"This is the first time that we've seen a bot like this," Hubbard said, "at least one that does the full loop of coming up with the CAPTCHA and registering an account."
Some specifics of the account-creation scam are still murky, he acknowledged. "What we don't know is what happens on the back end, at the spammer's server." Once the CAPTCHA image reaches the server, the spammers could be running it through some kind of optical character recognition (OCR) process or using one of several CAPTCHA "busters" tools. Or there could be people viewing the images, then typing in the character codes, although Hubbard said that was unlikely.
Spammers' appetite for large numbers of free e-mail accounts has driven them to come up with the bot, Hubbard said. "They use these addresses once and dispose of them, or they use an address one or two days," he said. That's about the lifespan of a spamming address, Hubbard noted. "Accounts get shut down quickly, or they get listed in the spam filtering products," he said.
Live Mail and rivals such as Yahoo Mail are favorite targets for spammers because the services are free, their domains can't be blocked by blacklisting antispam tools, and the millions of accounts they control make it easy for the spamming addresses to hide in the crowd, Hubbard said.
The bot's success rate shows that CAPTCHA is in danger. Unfortunately, there's no single technology waiting in the wings that could step in to replace it, especially in high-volume settings like Live Mail or Yahoo Mail.
"You have to make something that's simple and easy enough for people to accept, but too difficult for a computer to do [on its own]," Hubbard said. That's a fine line, he added.
In fact, Websense's findings mark the second time in less than three weeks that CAPTCHA-cracking claims have been made. Last month, a Russian programmer using the alias "John Wane" posted a decoder he said could crack Yahoo's CAPTCHA system 35% of the time.
"Where there's a will, there's a way," Hubbard concluded.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts