11 March 2008 - 1:07Latest Successful Target For Captcha-Defeating Spammers

Having recently conquered the Windows Live captcha used by Hotmail, spammers have now performed the same feat with Gmail’s system.

Websense, an Internet security company has reported that the spammers have designed bots which can sign up and create random Gmail accounts for the purpose of spamming. They were able to defeat the Captchas, making it very likely that the same group of spammers is responsible for both recent attacks.

Catpchas, an abbreviation for Completely Automated Public Turing test to tell Computers and Humans Apart are used to prevent unauthorized creations of accounts. Users have to manually identify and enter letters contained in an image to ensure the request is coming from an actual human, not an automated program. For years, hackers have been devising techniques to facilitate automatic signups to email accounts by companies such as Gmail and Yahoo! Spammers are becoming even more successful; for example, more than 500,000 spam Hotmail, Gmail and Yahoo! email accounts have been created since the HotLan Trojan first appeared on the scene in July 2007.

Websense believes the recent Gmail captcha hack is one of the most sophisticated ever created. This hack involves two compromised hosts to defeat Gmail, unlike the one host used to hack the Hotmail Live Mail captcha. Both of the two compromised hosts employ a different technique to analyze the captchas. Because the captcha images contain variations, one of the hosts often fails when attempting to break the code. In this case, the second captcha-learning host will attempt to learn and break the code.

Because of variations included in the Google CAPTCHA image, chances are that host 1 may fail breaking the code. Hence, the spammers have a backup or second CAPTCHA-learning host 2 that tries to learn and break the CAPTCHA code.

Although the new system employs two separate techniques, there is still a one in five success rate for breaking the Gmail captchas. This is a relatively low success rate, but one that is still workable for automated attacks.

The spammers justify their extreme effort by gaining access to a large number of working Gmail accounts for many reasons. First of all, they are able to gain access to Google’s services. They also obtain free addresses whose domains are very unlikely to be blacklisted. This helps them to defeat one aspect of the anti-spam defense.

Websense also reports that many captcha-breaking services are hosted on one of the
US domains.