Bot breaks Hotmail's CAPTCHA in 6 seconds
Spammer's bot beats Microsoft's registration test in no time
Computerworld - A new bot can crack defenses erected by Microsoft Corp. to keep spammers from creating large numbers of accounts on its Live Hotmail service within seconds, a security researcher said today.
Dan Hubbard, vice president of security research at Websense Inc., said the bot broke Live Hotmail's CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) within six seconds, on average. CAPTCHA is the name given to the distorted, scrambled characters that many Web services require users to decipher and type in to create a new account. The tests are meant to block automated account registration by spammers and malware authors.
The bot, Hubbard acknowledged, is similar to one Websense uncovered in February.
"In the past, though, it was kind of questionable whether the CAPTCHA breaking was automated," Hubbard said today, noting that there had been some evidence that spammers were paying people to decode and type in the CAPTCHA characters. "But the bot's breaking [CAPTCHA] in six seconds, so it's definitely automated."
In a long post to the Websense blog yesterday, Sumeet Prasad -- "our CAPTCHA expert," said Hubbard -- provided technical details of how the bot automatically registers Live Hotmail accounts and then immediately begins using those accounts to spew spam.
The bot's total response time -- how long it takes the program to grab a CAPTCHA image, analyze it and return with the correct code -- is considerably shorter than that of earlier such bots, said Prasad in the blog.
One in every eight to 10 attempts to create a Live Hotmail account is successful, added Prasad, so the success rate is 10% to 15%. However, the rate is actually meaningless, said Hubbard, since the bot will continue to try to create accounts using a predetermined list of account names until they're all registered.
Copies of the bot are seeded on unsuspecting users' PCs, said Websense, making it less likely that Microsoft will detect and stop the automated account registrations.
Free Web-based e-mail services such as Live Hotmail, Yahoo Mail and Gmail are favorite targets for spammers because the services' domains can't be blocked by blacklisting antispam tools, Hubbard said. "When Google, Microsoft and Yahoo [domains] are in the top 10 or top 20 spam domains, it's hard to use reputation tools," said Hubbard.
"You're not going to block those [domains]," he said.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts