Feeds

Automated crack for Windows Live captcha goes wild

Spammers'Holy Grail

Using blade systems to cut costs and sharpen efficiencies

Spammers are using a sophisticated piece of software that can create thousands of Windows Live email addresses by cracking the protections designed to prevent the large-scale creation of fraudulent accounts.

According to security firm Websense, the bot is surreptitiously installed on the PCs of end users. It then establishes a connection to the registration page of the Microsoft-owned mail service. About a third of the time, the software is able to bypass the Captcha requirement through a process that researchers have yet to precisely figure out.

The executable software,has already led to a surge of spam being sent from the Microsoft-owned service, said Dan Hubbard, vice president of security research at Websense. Its discovery comes a few weeks after the release of proof-of-concept code that defeats a similar Captcha used by Yahoo! Mail.

Free email services from Microsoft, Yahoo! and Google are rarely blocked by anti-spam products, making accounts on those services highly prized by spammers. In the past week or so, Websense antispam filters have gone from blocking fewer than 100 Windows Live accounts per day to a number that's in the thousands.

"Some customers were actually flagging the mail as legitimate because it was coming from Microsoft Live," said Hubbard. "Clearly, (spammers) are using the fact that (the services) are legitimate."

Short for "completely automated public Turing test to tell computers and humans apart," Captchas have emerged as a key barrier hindering scammers who want to create large numbers of fake online accounts. In some cases, Captcha-cracking has involved software that transmits the graphic to third-party website that promises a visitor free porn in exchange for typing in the characters. Other times, programs using highly specialized heuristics algorithms try to guess the characters, based on the arrangement of the pixels.

"Captcha breaking has been one of the largest targets of malware operators for some time, even to the point that they will go and farm out the job to human beings," said Adam O'Donnell, a research scientist at antispam company Cloudmark. "It's that profitable."

For years now, the forces of good and evil have been engaged in an arms race of sorts, in which new Captcha cracks beget stronger Captcha images, which in turn lead to more advanced cracks.

Hubbard said a Websense honeynet recently caught malware. When researchers installed it on a lab machine, they discovered that in addition to sending spam, it attempted to create the Windows Live accounts. The software cuts Microsoft's Captcha image and sends it to a server controlled by the scammers. The server then sends the text contained in the image back to the infected PC. The answer is correct as much as 35 per cent of the time.

"We don't know what the process is," said Hubbard. One possibility is that there are human being on the other end, but Hubbard is leaning away from that theory because it would require hundreds of people to make it work. It's also possible the spammers have found a new type of Captcha-cracking software.

Besides being rarely blocked by spam filters, accounts with big email services are valuable to spammers for other reasons. For one, they're free. And for another, the millions of other accounts held by legitimate users makes it hard for the services to pinpoint mass mailers.

Don't count on this cat-and-mouse match ending anytime soon. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.