February 2008

A security researcher has revealed that spammers have created a way to block Microsoft’s attempts to prevent them from generating a huge volume of Live Mail accounts. The vice president of security research at Websense, Dan Hubbard, revealed that the spammers had designed a bot to break Microsoft’s CAPTCHA defences – the scrambled and distorted codes used by many online services to block the automated registration of as many as thousands of accounts at one time.

Hubbard went on to explain how the bot captures the CAPTCHA image and sends it to the server used by the spammers. This is where the image is “read” until a clear text match is produced. The text is then sent back to the Live Mail server where it is entered into the relevant box where users type the characters for the CAPTCHA.

According to Hubbard, the bot generates the correct response and manages to create a Live Mail account 30 to 35 percent of the time. He attests to the ingenuity of this method: “This is the first time that we’ve seen a bot like this, at least one that does the full loop of coming up with the CAPTCHA and registering an account.”

Hubbard also admits that the actual specifics of the account-creation scam remain unclear. It’s not yet known exactly what happens at the server of the spammers. One possibility is that the spammers may be running the captured CAPTCHA image through a type of optical character recognition or OCR process once it reaches the servers or by using a CAPTCHA “buster” tool. People may also be viewing the images before typing in the character codes, although this is an unlikely option.

Apparently, the motivation behind the bot’s creation is the desire for spammers to generate a very large volume of free email accounts. The spammers can use each email address once or for only 1 to 2 days before disposing of it. According to Hubbard, that is the typical lifespan of a spamming address. These types of accounts tend to get shut down very quickly or they appear in the list of spam filtering products.

Spammers often target free services such as Yahoo! Mail or Microsoft’s Live Mail because anti-spam tools are unable to block their domains. The fact that these companies control literally millions of email accounts also makes it much easier for spamming addresses to remain hidden amongst the legitimate addresses.

Although the CAPTCHA is in danger because of the success rate of the bot, no technology exists to replace it, particularly in high-volume settings such as Yahoo! Mail or Live Mail. As Hubbard indicated: “You have to make something that’s simple and easy enough for people to accept, but too difficult for a computer to do on its own. That’s a fine line.”

The discovery made by Websense reveals the second CAPTCHA-cracking claim in a period of less than 3 weeks. In January 2008, a Russian programmer going by the name John Wane posted a decoder he claimed was able to crack the CAPTCHA system used by Yahoo! with a 35 percent success rate.

Malware authors who are sick and tired have discovered an inventive new method of decoding CAPTCHA images from legitimate sites by using a striptease. The striptease game has been identified by Trend Micro as TROJ_CAPTCHAR.A.

Players receive “assistance” with decoding by entering the hidden letters with the CAPTCHA or Completely Automated Public Turing test to tell Computers and Humans Apart. Whenever a player guesses correctly, more clothing is removed from photos of a woman named “Melissa.”

Trend Micro believes that the CAPTCHAs were taken as a result of a storehouse of Yahoo account information, likely used for spamming.

CAPTCHAs distinguish human users from automated processes, and they were initially used to guard against automated software such as spam generators and bots. They prevent automated postings to forums and blogs and minimize the spamming of webmail services. Visitors decipher specific alphanumeric characters that are embedded in an image that machines can’t read. However, they are not foolproof; Optical Character Recognition can foil the tests.

Roderick Ordoñez of TrendLabs addressed this recent CAPTCHA ploy stating: “Some people are really hooked up on defeating the CAPTCHA, and they are literally asking for public help, in a rather discreet—and, um, provocative—manner.”

The striptease players enter answers which are then route to a remote server. At this point, another user matches the actual code for a given CAPTCHA displayed on Yahoo’s site.

For all the latest news and reviews regarding security coverage, be sure to visit eWEEK.com’s Security Center or eWEEK’s Security Watch blog.