September 30th, 2008
Spammers attacking Microsoft's CAPTCHA -- again
Never let a human do a malware infected host’s CAPTCHA recognition job. On their way to abuse the DomainKeys verified server reputation in order increase the probability of their spam emails reaching the receipts, spammers and malware authors are once again attempting to break Microsoft’s “revisited” CAPTCHA, and are able to sign up Live Hotmail accounts with a success rate of 10% to 15%, according to an assessment published by Websense today :
“Spammers are once again targeting Microsoft’s Hotmail (Live Hotmail) services. We have discovered that spammers, in a recent aggressive move, have managed to create automated bots that can sign up for and create random Hotmail accounts, defeating Microsoft’s latest, revised CAPTCHA system. The accounts are then used to send mass-mailings.
Early this year (2008), as reported by Websense Security Labs, spammers worldwide basis demonstrated their adaptability by defeating a range of anti-spam services offered by security vendors by carrying out the streamlined anti-CAPTCHA operations on Microsoft’s Live Mail, Google’s Gmail, Microsoft’s Live Hotmail, Google’s Blogger, and Yahoo Mail.”
10% to 15% recognition rate or “one in every 8 to 10 attempts to sign up for a Live Hotmail account is successful” as stated by Websense, is a bit of a modest success rate given that the academic community has managed to achieve 92% recognition rate in the past. But with hundreds of thousands of malware infected hosts, it appears that they are willing to allocate resources despite the modest success rate, and are actively spamming through the newly registered bogus email accounts.
Is machine learning CAPTCHA breaking the tactic of choice, or is the recently uncovered CAPTCHA solving economy the outsourcing model cost-effective enough to undermine the machine learning approach? With low-waged humans achieving a 100% recognition rate and processing “bogus account registration” orders, it may in fact be more cost-effective for a cybercriminal to outsource the process, than allocating personal resources and achieving a lower success rate. One thing’s for sure - CAPTCHA based authentication has been persistently under attack from all fronts, during the entire 2008.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.
Subscribe to Zero Day via Email alerts or RSS.
