How CAPTCHA got trashed
The wiggly words are now most useful for malware authors
Computerworld - CAPTCHA used to be an easy and useful way for Web administrators to authenticate users. Now it's an easy and useful way for malware authors and spammers to do their dirty work.
CAPTCHA — Completely Automated Public Turing Test to Tell Computers and Humans Apart — was a good idea in its day. You presented users with an obfuscated string of characters and then had them decode and type the string in to get an e-mail account, a social networking account or comment access on an online forum. Not much fuss — though users justifiably complained that the difference between '1' (one) and l (the lower-case letter l) can be hard to see in many fonts — and certainly no muss from a Web administrator's point of view.
So it was that CAPTCHA went from relatively obscure security measure perfected in 2000 by researchers at Carnegie Mellon University to deployment by most of the major Web e-mail sites and many other Web sites by 2007. Sites such as Yahoo Mail, Google's Gmail and Microsoft's Hotmail all used — and, for that matter, continue to use — CAPTCHA to make sure that only human beings, not bots, could get accounts or make postings.
Those days are long gone.
And then things got bad.
There are now programs available online — no, we will not tell you where — that automate CAPTCHA attacks. You don't need to have any cracking skills. All you need is a desire to spread spam, make anonymous online attacks against your enemies, propagate malware or, in general, be an online jerk.
It's not just free e-mail sites that can be made to suffer, though.
John Nagle, founder of SiteTruth, a site that tries to identify bogus businesses and their Web sites, wrote in late May on Techdirt that while spam on the popular online classified ad service Craigslist "has been a minor nuisance for years ... this year, the spammers started winning and are taking over."
Craigslist tried "to stop spamming by checking for duplicate submissions," Nagle explained. "They check for excessive posts from a single IP address. They require users to register with a valid e-mail address. They added a CAPTCHA to stop automated posting tools. And users can flag postings they recognize as spam."
According to Nagle, waxing sarcastic, "Several commercial products are now available to overcome those little obstacles to bulk posting. A tool called CL Auto Posting Tool is one such product. It not only posts to Craigslist automatically, it has built-in strategies to overcome each Craigslist anti-spam mechanism." It's not the only one. There are, he added, "other desktop software products [such as] AdBomber and Ad Master. For spammers preferring a service-oriented approach, there's ItsYourPost." The result? "The defenses of Craigslist have been overrun. Some categories on Craigslist have become over 90% spam. The personals sections were the first to go, then the services categories, and more recently, the job postings."
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Preparing Your Infrastructure for the Hyperconvergence Era From cloud computing and virtualization to mobility and unified communications, an array of innovative technologies is transforming today's data centers.
- How WAN Optimization Helps Enterprises Reduce Costs If you wanted to break down innovation into a tidy equation, it might go something like this: Technology + Connectivity = Productivity. Productivity...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users? All Cybercrime and Hacking White Papers | Webcasts