Spammers Crack Microsoft’s CAPTCHA to Push Spam

According to security company Websense, spammers have managed to crack Google's Gmail and Microsoft's Hotmail service by using anti-CAPTCHA tools. The company's security experts state that CAPTCHA is a kind of challenge-response check used to ensure that only a human being generates the response and not a computer.

Furthermore, to crack CAPTCHA, spammers have set up automated bots, which are made not only to create and register random Hotmail accounts, but also simultaneously use these newly-created accounts to send spam messages from a proper Live Hotmail service.

The security specialists further reveal that the story of the downtrend in CAPTCHA's efficiency is an ongoing issue in 2008, as malware authors and hackers found methods to breach the security system's protection.

Moreover, in wake of two major Webmail providers again become vulnerable, CAPTCHA security is clearly not fulfilling the security requirements of either provider, and probably it is time to review the use of CAPTCHA.

The specialists explained that for Windows Live Hotmail, the bot starts its activity by attaching itself to Internet Explorer and interacting with the Hotmail sign-up servers. Meanwhile, the anti-CAPTCHA software contains a package of account identities, which it tries to use for starting the account creation. The series of account identities is presumably updated regularly, with accounts that work, kept intact and pre-existing or unacceptable accounts deleted.

Moreover, once spammers crack the CAPTCHA and create an account, e-mail IDs are entered and spam mails are sent followed by the logging out of the bots so that the whole process can be repeated

Furthermore, the security experts at Websense disclosed that the criminals had used the XRumer project to fool the CAPTCHA systems in Gmail. XRumer is a program to spam blogs and designed to con multiple CPATCHA systems. Once this project is successfully registered, it uses ways to bypass human detection such as posting a harmless query regarding a particular service or product.

Meanwhile, the specialists revealed that CAPTCHA-cracking is a massive business in countries like India, where employees enter thousands of CAPTCHAs every day for a very small sum of money per CAPTCHA successfully decoded.

Related article: Spammers Continue their Campaigns Successfully

» SPAMfighter News - 10/13/2008