Feeds

Spammers crack Gmail Captcha

Fresh fruit for rotting vegetables

Internet Security Threat Report 2014

Spammers, fresh from the success of cracking the Windows Live captcha used by Hotmail, have broken the equivalent system at Gmail.

Internet security firm Websense reports that miscreants have created bots which are capable of signing up and creating random Gmail accounts for spamming purposes, defeating Captcha-based defences in the process. It reckons the same group of spammers are behind both attacks.

Captcha (Completely Automated Public Turing test to tell Computers and Humans Apart) challenge-response systems, which are used to prevent accounts being created until a user correctly identifies letters in an image, are designed to ensure requests are made by a human rather than an automated program. The technique has been used to defeat automatic sign-ups to email accounts by services including Yahoo! Mail and Gmail for years, and hackers are increasingly successful in defeating the approach. For example, the HotLan Trojan has created more than 500,000 spam email accounts with Hotmail, Yahoo! and Gmail since its arrival back in July 2007.

Websense reckons the latest Gmail Captcha hack is the most sophisticated it has seen to date. Unlike Live Mail Captcha breaking, which involved just one zombie host doing the entire job, the Gmail breaking process involves two compromised hosts. Each of the two compromised hosts applies a slightly different technique to analysing Captcha, as explained in a posting by Websense.

Even using the two techniques, only one in every five Captcha-breaking requests are successful. It's a fairly low percentage, but one that's still more than workable in the case of automated attacks.

It sounds like a lot of effort, but gaining a working Gmail account has a number of advantages for spammers. As well as gaining access to Google's services in general, spammers gain a address whose domain is highly unlikely to be blacklisted, helping them defeat one aspect of anti-spam defences. Gmail also has the benefit of being free to use.

A wide range of Captcha-breaking services are hosted on a domain located in the US, Websense reports. The page includes a support page and payment advice along with an internal test page. ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.