Gmail, Yahoo and Hotmail's CAPTCHA broken by spammers

Gmail, Yahoo and Hotmail's CAPTCHA broken by spammers

Summary: Breaking Gmail, Yahoo and Hotmail's CAPTCHAs, has been an urban legend for over two years now, with do-it-yourself CAPTCHA breaking services, and proprietary underground tools assisting spammers, phishers and malware authors into registering hundreds of thousands of bogus accounts for spamming and fraudulent purposes.

SHARE:
TOPICS: Google
18

Breaking Gmail, Yahoo and Hotmail's CAPTCHAs, has been an urban legend for over two years now, with do-it-yourself CAPTCHA breaking services, and proprietary underground tools assisting spammers, phishers and malware authors into registering hundreds of thousands of bogus accounts for spamming and fraudulent purposes.

Gmail, Yahoo and HotmailÂ’s CAPTCHA broken by spammers

This post intends to make this official, by covering an underground service offering thousands of already registered Gmail, Yahoo and Hotmail accounts for sale, with new ones registered every second clearly indicating the success rate of their CAPTCHA breaking capabilities at these services.

Monitoring the service for over a month now, revealed that during the period its "inventory of automatically registered email accounts" was emptying itself, then restoring to its current position - in the thousands, with 1 to 2 new accounts registered per second. Moreover, it's important to point out that compared to situations where scammers are scamming the scammers, these people "deliver the goods" that they promise. Last week, they've also started offering Hotmail and Yahoo email accounts, again in the thousands. For the time being, there are 134, 670 Gmail accounts available for purchase, as well as 42,893 Hotmail, and 10,847 Yahoo email accounts. There's naturally a price discrimination applied, for instance, if you're buying up to 10k Gmail accounts, the price for 1k would be $6, from 10k to 100k the price drops to $5 for 1k, and if you're going to buy over 100k accounts, the price would be $4 for 1k.

Gmail, Yahoo and HotmailÂ’s CAPTCHA broken by spammers

Considering the fact that researchers are already managing to achieve a recognition rate of of nearly 90% of Gmail's CAPTCHA, 58% for Yahoo's CAPTCHA, and over 92 for Microsoft's CAPTCHAs, the incentives for malicious parties to start efficiently breaking it and build a business model on the top of this seem to have prevailed. Here's a paper courtesy of Microsoft's research team, outlining some of the findings regarding the insecurities of these CAPTCHA's in general :

"The Google HIP is unique in that it uses only image warp as a means of distorting the characters. Similar to theGmail, Yahoo and HotmailÂ’s CAPTCHA broken by spammers MSN/Passport and Yahoo version 2 HIPs, it is also two color. The HIP characters are arranged closed to one another (they often touch) and follow a curved baseline. The following very simple attack was used to segment Google HIPs: Convert to grayscale, up-sample, threshold and separate connected components.

This very simple attack gives an end-to-end success rate of 10.2% for segmentation the recognition rate was 89.3%, giving (0.102)*(0.893)6.5 = 4.89% total probability of breaking a HIP. Average Google HIP solution length is 6.5 characters. This can be significantly improved upon by judicious use of dilate-erode attack. A direct application doesn’t do as well as it did on the ticketmaster and yahoo HIPs (because of the shear and warp of the baseline of the word). More successful and complicated attacks might estimate and counter the shear and warp of the baseline to achieve better success rates."

Abusing the clean IP reputation of these reputable email providers, results in the flood of spam coming from legitimate domains, as well as the easy of registering bogus Blogspot accounts known as splogs, for blackhat search engine optimization, even malware, with Storm Worm diversifying its propagation vector to using Blogspot accounts presumably buying the already registered accounts.

With the continuing supply of bogus email accounts efficiently registered by breaking the CAPTCHAs at these services, isn't it time for major web companies to start considering replacements for text based CAPTCHAs like these ones, or perhaps put more efforts into slowing down the currently efficient text based recognition of their CAPTCHAs?

Topic: Google

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

18 comments
Log in or register to join the discussion
  • It is impossible to manage...

    networks the size of Google with technology alone. It takes a real live person. Now we can expect more spam coming from these networks. Spam that will be harder to filter. If these companies can't manage their networks in a responsible manner, shut them down. Big networks create big problems.
    bjbrock
    • How many people though

      To manage that mess. It's quite the engineering-manpower problem.
      Larry Dignan
      • Re: How many people though

        For the CAPTCHA problem, all they have to do is do some research, stick to several CAPTCHAs of choice, build awareness on the upcoming migration to the new CAPTCHA, and just execute it.

        If they stick with the same weak captcha so that their users and, of course, spammers can easily recognize it, then they should start putting more efforts into fighting OUTgoing spam, not just INcoming one.
        ddanchev
      • How many people?

        I think it's more of a design issue than a personnel problem. Give them good tools to work with and watch things change. Let everyone have their own path and watch the chaos.
        twaynesdomain-22354355019875063839220739305988
    • Re: It is impossible to manage...

      The CAPTCHA alone is universal on all of their services, and the only reason that it's so weak for the time being is the fact that they'll have half the Internet complaining that even humans cannot recognize it - which is not an excuse for leaving it the way it is.

      Dealing with this CAPTCHA breaking attack can be easily achieved, dealing with the spam and phishing emails coming out of their networks is another issue.
      ddanchev
    • But management IS possible, just not probable

      It wouldn't even take a LOT of people if they were armed with the right button to push and the right monitors to work with. That kind of activity leaves a trail that is evicent, and can be seen and notated. I can think of several things right off the top of my head that would slow down the mass signups and it's nothing to do with Captcha or anything like it.
      twaynesdomain-22354355019875063839220739305988
  • RE: Gmail, Yahoo and Hotmail's CAPTCHA broken by spammers

    Who cares? All I do is pay $6.00 per month to get my own website (with unlimited email addresses), and I configure my mailer (Thunderbird or SeaMonkey) to only accept mail from a handful of people that I personally give my address to.

    I get all sorts of spam, but never see it, as it goes directly to the TRASH and is deleted when I log off.

    People allow themselves to become victims of these scams by being CHEAP, using these free mail services.
    Nothing is free.

    My freedom from spm costs me about six bucks per month.

    Of course a better, cheaper way to avoid problems with spam is to stop being an idiot who believes he just won the lottery, just met someon online who needs to smuggle $200,000,000 out of Nigeria, needs a male enhancement product or a teenage boy/girl for weekend funsies.

    The main reason most of us have these problems is because we are incredibly gullible or just plain STUPID. In neither case do these people deserve our pity or even our concern.
    turncoat
    • Free lunch.

      [i] People allow themselves to become victims of these scams by being CHEAP, using these free mail services.
      Nothing is free.[/i]

      Use to be the entire internet was free. Wonder why that changed? Plus, when signed up to an internet provider, the provider provides an email account as part of the monthly fee-called product perks. There isn't anything free anymore so you got that right.

      [i] The main reason most of us have these problems is because we are incredibly gullible or just plain STUPID. In neither case do these people deserve our pity or even our concern. [/i]

      Ya know I've had about enough with the likes of you. Bye, bye.
      jasahasch1
  • Limit new accounts by IP address

    I doubt if the spammers setting up new accounts every second are using a different IP address to come from for each new address. Just let Yahoo allow one new account per day for a given IP address instead of one per second, and it's better off by a factor of 86,400. There are problems, of course - spoofing IP addresses, allowing more addresses per day from big institutional Web sites, etc. - but they can be solved with some ingenuity.
    shirleydj
    • Corporate firewalls make 1000's of users appear to have a single IP...

      ...but maybe that's okay if gmail accounts aren't really intended for corporate users, or if those users can simply connect from home at night to request an account.

      Also they could provide an alternative if there has already been a registration on your IP today, e.g. one per non-free email address (if you have an ISP or corporate email address) or one per phone number (if they can text/call you to confirm).
      dabruro
  • RE: Gmail, Yahoo and Hotmail's CAPTCHA broken by spammers

    The information provided here is very old.

    Simply look at CAPTCHA image in the document this paper linked about Microsoft's CAPTCHA broken, and the CAPTCHA image in Micorosft's website (www.live.com). They are nothe same images.
    captcha
  • RE: Gmail, Yahoo and Hotmail's CAPTCHA broken by spammers

    Did you even bother to read the entire post, or the Microsoft's CAPTCHA broken one with a more recent research on the topic? The image isn't supposed to be recent in respect to the underground service selling the accounts and registering them automatically.

    The Microsoft research paper was just used as reference as to what is research/academic up to, with the idea to emphasize on the fact that malicious parties have more resources and interest to go further.
    ddanchev
  • And so goes the circle.

    It is just one reality we must confront. Now, as there has always been, there are scoundrels and thieves. Those low people without ethics will migrate to any medium in which they believe they can profit. Unfortunately we cannot just hang them when they are caught. Just as we used to do Horse Thieves. They are no better than horse thieves and deserve no better.
    Sagax-
  • Replace?

    Replace?
    Yea but with what?
    Viklund
  • RE: Replace?

    Anything non-linguistic since it's becoming obvious that there are business models build on breaking it.
    Logical or semantic puzzles for instance, despite that it's linguistic it put the emphasis not on distorting a single word, but proving accurate answer to a common question.

    Find out some alternatives at the end of the post :

    http://blogs.zdnet.com/security/?p=1232

    The ultimate objective should be limiting the opportunity to efficiently break it, they way they are breaking it right now. And, of course, balance the solution since as always it's usability versus security. For instance, those who don't see well but want to use these service, would be offered an audio CAPTCHA for the purpose, one that's in fact easier to break than the text based one :

    http://blog.wintercore.com/?p=11

    If nothing changes, the spam and phishing emails coming from legitimate email providers are prone to increase.
    ddanchev
  • reCAPTCHA (nt)

    nt = no text
    CobraA1
  • RE: Gmail/Yahoo/M$ people may not be as dumb as you think

    The question is what percentage of these accounts are
    really usable. They are created successfully doesn't
    necessarily mean they are not detected. It's hard to
    defeat crackers technically. Even if you can
    temporarily, they will find new solutions. But, if
    spammers find they are wasting their spamming budget
    buying useless accounts, they will remember these
    crackers.
    3.14159
  • RE: Gmail, Yahoo and Hotmail's CAPTCHA broken by spammers

    I had a question>>>>>>

    Waht u peple think about TicketMaster Captcha--Isn't harder to break?
    SakthiGs