Feeds

Automated crack for Windows Live captcha goes wild

Spammers'Holy Grail

Providing a secure and efficient Helpdesk

Spammers are using a sophisticated piece of software that can create thousands of Windows Live email addresses by cracking the protections designed to prevent the large-scale creation of fraudulent accounts.

According to security firm Websense, the bot is surreptitiously installed on the PCs of end users. It then establishes a connection to the registration page of the Microsoft-owned mail service. About a third of the time, the software is able to bypass the Captcha requirement through a process that researchers have yet to precisely figure out.

The executable software,has already led to a surge of spam being sent from the Microsoft-owned service, said Dan Hubbard, vice president of security research at Websense. Its discovery comes a few weeks after the release of proof-of-concept code that defeats a similar Captcha used by Yahoo! Mail.

Free email services from Microsoft, Yahoo! and Google are rarely blocked by anti-spam products, making accounts on those services highly prized by spammers. In the past week or so, Websense antispam filters have gone from blocking fewer than 100 Windows Live accounts per day to a number that's in the thousands.

"Some customers were actually flagging the mail as legitimate because it was coming from Microsoft Live," said Hubbard. "Clearly, (spammers) are using the fact that (the services) are legitimate."

Short for "completely automated public Turing test to tell computers and humans apart," Captchas have emerged as a key barrier hindering scammers who want to create large numbers of fake online accounts. In some cases, Captcha-cracking has involved software that transmits the graphic to third-party website that promises a visitor free porn in exchange for typing in the characters. Other times, programs using highly specialized heuristics algorithms try to guess the characters, based on the arrangement of the pixels.

"Captcha breaking has been one of the largest targets of malware operators for some time, even to the point that they will go and farm out the job to human beings," said Adam O'Donnell, a research scientist at antispam company Cloudmark. "It's that profitable."

For years now, the forces of good and evil have been engaged in an arms race of sorts, in which new Captcha cracks beget stronger Captcha images, which in turn lead to more advanced cracks.

Hubbard said a Websense honeynet recently caught malware. When researchers installed it on a lab machine, they discovered that in addition to sending spam, it attempted to create the Windows Live accounts. The software cuts Microsoft's Captcha image and sends it to a server controlled by the scammers. The server then sends the text contained in the image back to the infected PC. The answer is correct as much as 35 per cent of the time.

"We don't know what the process is," said Hubbard. One possibility is that there are human being on the other end, but Hubbard is leaning away from that theory because it would require hundreds of people to make it work. It's also possible the spammers have found a new type of Captcha-cracking software.

Besides being rarely blocked by spam filters, accounts with big email services are valuable to spammers for other reasons. For one, they're free. And for another, the millions of other accounts held by legitimate users makes it hard for the services to pinpoint mass mailers.

Don't count on this cat-and-mouse match ending anytime soon. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.