Criminals Break CAPTCHA Websites’ Security for Spamming

According to the MessageLabs 2009 Security Report from Symantec, cyber criminals are employing sophisticated programs to beat a system called 'Completely Automated Public Turing test to tell Computers and Humans Apart' (CAPTCHA). CAPTCHA helps Web-mail, social networking and micro-blogging services to keep their sites protected from spammers and hackers.

The report states that online crooks are cracking code hidden inside CAPTCHA images with the help of newly developed software. Actually, CAPTCHA images are used to distinguish genuine customers and automated software.

Commenting on the problem, Paul Wood, Senior Analyst at Symantec, stated that CAPTCHA had been cracked very effectively by cyber crooks, as reported by Webuser on December 9, 2009.

The cyber criminal gangs are utilizing the CAPTCHA technique for setting up several thousand accounts on genuine social networking and Web-mail sites from where they are sending phishing and spam mails to Web-users.

Woods said that creating numerous legitimate accounts on any website yielded advantages of lawful domains. anti-spam applications might not be able to identify spam mails coming from those domains. These e-mails might be difficult to block as the risk of preventing genuine users largely create suspicion, as reported by ComputerWeekly on December 8, 2009.

Woods further said that criminals' latest exploitation of CAPTCHA created great risk for businesses that could be getting legitimate looking e-mails carrying web-links to sites that serve malware.

Moreover, cyber criminals are putting massive pressure on micro-blogging and social networking websites. They are posting genuine profiles and are attacking real people's accounts for phishing. Thus, organizations that do not adopt proper controls are at risk.

According to the report, there is a flourishing, illegal trade of CAPTCHA cracking tools. People are actually being employed to set up accounts through CAPTCHA breaking techniques at a rate of $2-$3 per thousand accounts. These accounts are then sold for a price at the range of $30-$40 per thousand for spamming purposes.

This practice, according to the security specialists, means that increasing number of criminals are able to set up genuine accounts at social networking, instant messaging and Web-mail sites, but they use them for distributing spam.

Related article: Criminals Hack With More Evil Tactics

» SPAMfighter News - 12/17/2009