Feeds

Botnet pierces Microsoft Live through audio captchas

'Look at these delineations!'

  • alert
  • submit to reddit

Providing a secure and efficient Helpdesk

The prolific Pushdo spam botnet has found a new way to penetrate Microsoft's Live.com by exploiting weaknesses in the audio captchas designed to prevent automated scripts from accessing the popular email service.

A new version of the bot causes infected PCs to pull down Live.com audio captchas and return the correct response within 10 seconds, according to a researcher at anti-virus firm Webroot. The attack allows the zombie machines to send email through accounts with a Live.com address, which are whitelisted by many spam filters. The technique offers spammers an alternative to sending spam through open mail relays, which are often blacklisted.

"In one seven minute test period where I permitted the bot to operate freely, the bot demonstrated [a] remarkable capability to bypass the audio captchas," Webroot researcher Andrew Brandt wrote Monday Morning. "In most cases, it was able to submit the correct answer within two tries, though in one instance, the bot tried six times before it could proceed, and once it gave the correct answer the first time."

The attack is the latest to target captchas, the puzzles that websites use to ensure that email and forms are completed by humans rather than automated scripts. Captchas require a person to recognize a series of distorted characters that are hard for computers to read using optical character recognition programs. Audio captchas, which are available in the event the user is visually impaired, work in much the same way except that characters are verbally recited amid background static and other noise.

Over the past few years, cybercrooks have devised attacks on captchas protecting Google, Live.com, sites selling concert tickets and various other web properties. Web masters usually respond by tweaking the puzzles, forcing attackers to find new bypass techniques.

Webroot's Brandt said it's the first time he's heard of an audio captcha being targeted. It remains unclear if the attackers are sending the WAV files to sweat shops where humans then decode the audio puzzles, or if the technique works with the help of speech recognition software.

Once the captcha is solved, the botnet uses a Live.com email address to send spam with a variety of come-ons written with poor English grammar and usage. Our favorite one was "Mamma mia! your grandmother is doing so strange things here! Look at these delineations!"

The spam includes a link to a Yahoo Groups page that uses offers for free porn to coax people into giving up financial information.

A botnet primarily used to spend spam, Pushdo goes by several other names, including Cutwail, Diehard and Rabbit. Some of the IP addresses used by the audio-captcha buster have been used in the past by the Russian Business Network. Brandt's report is here. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.