Trojan creates bogus webmail accounts to punt drugs
Hotmail and Yahoo! captchas defeated?
Miscreants have created a strain of malware capable of setting up bogus Hotmail and Yahoo! accounts in order to send spam.
The HotLan-A Trojan uses automatically-generated webmail accounts, suggesting that spammers have found a way to bypass the Captcha system (which typically means accounts can't be created until a user correctly identifies letters depicted in an image).
The Captcha system was set up by online service providers in order to try to ensure that only requests generated by a human, and not automated by a program, are serviced.
These challenge-response systems are often used to stop the automatic creation of webmail accounts by spammers, so their apparent defeat by the HotLan-A Trojan is of particular note.
The use of compromised PCs to send spam has been going on for years, but the HotLan-A Trojan follows a more complex routine. Each active copy of the Trojan attempts to set up a webmail account before pulling encrypted spam emails from a website. It then decrypts these junk emails and sends them to (presumably valid) addresses taken from yet another website, according to an analysis of the malware by Romanian anti-virus firm BitDefender. Junk mail sent using the malware has largely been used to spamvertise sites flogging pharmacy products.
"There are only about 500 or so new accounts being created every hour," said Viorel Canja, head of BitDefender's Anti-virus Lab. "But still, we've seen 15,000+ Hotmail accounts being used so far. It's hard to estimate how many spam emails have already been sent." ®
"Lately, I have seen a great many flamewarriors correcting each others' spelling/grammar/punctuation, etc.
Question: Has this resulted in a more urbane and erudite flame culture?
In the UseNET days typos were generally ignored because it was usually the result of clumsy fingers. These days however more and more people are demonstrating blatant lack of skill in both spelling and grammar. These are not second-language english speakers we're talking about - its often people who have no exuse.
Why pay a turk?
I've heard of some porn sites advertising free images protected by a captcha. Thing is that the captcha is actually an image from some other site. So the dope enters it in, playing the unsuspecting turk.
And if they really wanted to make it tough to thwart, their malware would turn the infected user into a turk. That is, suppose someone wants to sign up to yahoo, but their computer is infected. The malware can then pre-fetch a failed signup, so when the user does the captcha, the malware registers its spamaddress instead, and throws up a 'failed captcha' page. The user figures they misread an 8 for a B, and registers a second time, this time going through, none the wiser that two accounts were made.
I'm not sure how to combat that level of trickery.
Just wait for the Turk...
The more exotic approaches only work because they're not common enough to warrant a spammer defeating them. If somebody comes up with a system that actually works and it gets widely used the spammers will get round it. If it's computationally not feasible to solve the problem the spammers could resort to a system similar to the Amazon "Mechanical Turk" and pay a group of poor people in another country to do it: Trojan sends captcha to server which displays it for some poor shmuck who gets $0.01 for every 10 he solves and the result is returned. If he's good he could well earn 1c every minute which is $6 a day (on a 10 hour day.) There are still many countries where $6 is a very good wage.
I suppose such techniques could be made less effective by limiting the time the user has to solve the captcha but they we'd be discriminating even more against the disabled for whom they're difficult enough as it is. Streaming, animated, video captchas anyone?