[Infowarrior] - Spambot cracks Live Hotmail CAPTCHA
Richard Forno
rforno at infowarrior.org
Wed Apr 16 01:14:36 UTC 2008
Gone in 60 seconds: Spambot cracks Live Hotmail CAPTCHA
By Emil Protalinski | Published: April 15, 2008 - 09:13AM CT
http://arstechnica.com/news.ars/post/20080415-gone-in-60-seconds-spambot-cra
cks-livehotmail-captcha.html
Internet users are quite familiar with the Completely Automated Public
Turing test to tell Computers and Humans Apart (CAPTCHA), a quick method
that verifies whether or not the user trying to sign up is a person or a
bot. A picture with swirled, mangled, or otherwise distorted characters is
displayed and the user then types in the correct letters or numbers. Thus
far, the system has worked well to slow down malicious bots, but recently
the groups behind such software have made significant strides. A security
firm is now reporting that the CAPTCHA used for Windows Live Mail can now be
cracked in as little as 60 seconds.
Back in early February, a group cracked Windows Live Hotmail's CAPTCHA. A
few weeks later, Gmail's version followed suit. In just over a month's time,
some anti-spam vendors were forced to completely block the domain for the
popular service as bots signed up for thousands of bogus accounts and began
to flood the tubes with e-mail advertisements for lottery tickets and
watches. The close proximity of the two cracks has done everything but
sealed CAPTCHA's fate.
To make matters worse, Websense Security Labs is now reporting that the
method for getting around Windows Live Mail's CAPTCHA has been improved to
the point that a bot can decipher the text and make a guess in less than six
seconds, on average. Windows Live Hotmail's Anti-CAPTCHA automatic bot,
which hooks itself into Internet Explorer on a victim's machine, has a
success rate of about 10-15 percent. That means that it takes up to one
minute for a single bot to create a new account.
Windows Live Hotmail's CAPTCHA
In one day, the bot can amass at least 1,440 accounts. And that's just one
bot. This same bot can then send spam to multiple e-mail addresses (using
both CC and BCC lists) continuously, switching between accounts (both in the
from: and to: fields) in order to lower the chance of being spotted.
Spammers love getting their hands on live.com and hotmail.com addresses
since the chance of such popular domain names being blacklisted are slim to
none. Because of how large the Windows Live account system is, in terms of
both users and the wide array of services the account is tied to, anti-spam
vendors should not be the only ones worried. However, the problem for
Microsoft is much bigger than simply tracking down the spamming accounts.
Microsoft, Google, and all other websites that currently use CAPTCHA, need
to find a solution that puts them a step ahead of the spammers. Using better
images and improving CAPTCHA will simply prolong the arms race. Spammers
will make the proper adjustments to their bots, then make them even faster.
Hopefully a workable solution can be found that doesn't make onerous demands
on the sincere user. Finding, testing, and implementing a CAPTCHA
alternative will of course take time, and while we wait, the spam just comes
flooding in.
More information about the Infowarrior
mailing list