Spammers attacking Microsoft's CAPTCHA -- again

Summary:Never let a human do a malware infected host's CAPTCHA recognition job.

Microsoft CAPTCHA broken
Never let a human do a malware infected host's CAPTCHA recognition job. On their way to abuse the DomainKeys verified server reputation in order increase the probability of their spam emails reaching the receipts, spammers and malware authors are once again attempting to break Microsoft's "revisited" CAPTCHA, and are able to sign up Live Hotmail accounts with a success rate of 10% to 15%, according to an assessment published by Websense today :

"Spammers are once again targeting Microsoft's Hotmail (Live Hotmail) services. We have discovered that spammers, in a recent aggressive move, have managed to create automated bots that can sign up for and create random Hotmail accounts, defeating Microsoft's latest, revised CAPTCHA system. The accounts are then used to send mass-mailings.

Early this year (2008), as reported by Websense Security Labs, spammers worldwide basis demonstrated their adaptability by defeating a range of anti-spam services offered by security vendors by carrying out the streamlined anti-CAPTCHA operations on Microsoft's Live Mail, Google's Gmail, Microsoft's Live Hotmail, Google's Blogger, and Yahoo Mail."

10% to 15% recognition rate or "one in every 8 to 10 attempts to sign up for a Live Hotmail account is successful" as stated by Websense, is a bit of a modest success rate given that the academic community has managed to achieve 92% recognition rate in the past. But with hundreds of thousands of malware infected hosts, it appears that they are willing to allocate resources despite the modest success rate, and are actively spamming through the newly registered bogus email accounts.

Is machine learning CAPTCHA breaking the tactic of choice, or is the recently uncovered CAPTCHA solving economy the outsourcing model cost-effective enough to undermine the machine learning approach? With low-waged humans achieving a 100% recognition rate and processing "bogus account registration" orders, it may in fact be more cost-effective for a cybercriminal to outsource the process, than allocating personal resources and achieving a lower success rate. One thing's for sure - CAPTCHA based authentication has been persistently under attack from all fronts, during the entire 2008.

Topics: Microsoft, Security

About

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.