Feeds

back to article Trojan creates bogus webmail accounts to punt drugs

Miscreants have created a strain of malware capable of setting up bogus Hotmail and Yahoo! accounts in order to send spam. The HotLan-A Trojan uses automatically-generated webmail accounts, suggesting that spammers have found a way to bypass the Captcha system (which typically means accounts can't be created until a user …

COMMENTS

This topic is closed for new posts.

Ordinary captcha useless

It has been for months. I run a forum and about six moths ago I started getting a constant stream of bots signing up _and activating the accounts (confirmation email)_despite the captcha. I looked around for a solution and found a simple one: include a simple random question in the registration form, something like "Are you a human?" or "How many toes do you have?" - something obvious to a person but enough to stump a bot. Ever since I did that I'm bot-free.

0
0

Huh?

I'm a monkey, and I only have 7 toes - you insensetive clod!!

0
0

I understand the complexity of attacking the SPAM

but I don't understand why we can't simply go after the intended beneficiary. If the SPAM is trying to sell a product, why not simply go after the person to whose site the SPAM directs us (or whoever eventually gets the money from the prospective sales). For obvious reasons, the beneficiary cannot hide. The SPAM source may be difficult to trace and block, but the money isn't.

Am I missing something?

0
0

Maybe the craptcha is done by the bot host.

What I'd do is:

1) Bot a Bod's PC

2) Wait until aforesaid bod logs in.

3) Take the Craptcha image from Hotmail/whoever and reframe it in a Windows dialog with a heading like

'Microsoft Windows Genuine Disadvantage needs to verify a real user is accessing this Computer', 'Please enter the word contained in the image to verify you have not been a victim of software piracy..'

4) Use that to create the account.

5) Profit...

Social engineering, sigh.. I know several people who would probably happily fill in 10 such craptchas a day if they believed it was genuine.

0
0
Bronze badge

but I don't understand why we can't simply go after the intended beneficiary

because they are not always the guilty party

WHat happens some times is a web site contracts with a legit advertiser, that advertisers has affiliates that then does shady things .

0
0
Anonymous Coward

Re: I understand the complexity of attacking the SPAM

The problem is that for someone to put a competitor out of business all they would have to do is spam like crazy directing custom to their competitor.

Similarly a spammer could claim the spam they are benefiting from was from a malicious competitor.

As ever the burden of proof would be the problem.

0
0
Anonymous Coward

"I'm a monkey, and I only have 7 toes - you insensetive clod!!"

That explains the spelling mistake.

0
0
Anonymous Coward

Re: That explains the spelling mistake.

This brings up an interesting trend I've been seeing lately. This really has nothing to do with the subject at hand. It's sort of a geekthropolical observation.

I've been dealing with online communities since the cesspits of the UseNet.

As you can imagine, I have seen some truly awful broadsides launched between battlegeeks.

To Wit: http://www.webmasterfriendly.com/forums/archive/index.php/t-29895.html

What used to be an unspoken rule, was not to correct another poster's [often terrible] command of English. Since the UseNet tended to be something that was pretty exclusively the domain of US academia, it was always rather puzzling to me.

Of course, those people are now ru[i]ning the USofA...

Lately, I have seen a great many flamewarriors correcting each others' spelling/grammar/punctuation, etc.

Question: Has this resulted in a more urbane and erudite flame culture?

Discuss.

0
0

Solution

Um, just use a random image. E.G. a gif of a kettle, a frog, a lemon etc. Used on the A&L banking system as part of the logon process. Give the end user 3 options as to what it could be. If it's wrong a new image is created with new possible answers.

Voila.

0
0
Anonymous Coward

Re: Solution

"Um, just use a random image. E.G. a gif of a kettle, a frog, a lemon etc. Used on the A&L banking system as part of the logon process. Give the end user 3 options as to what it could be. If it's wrong a new image is created with new possible answers."

so, 33% of bots get through on first attempt, 33% of the remainder get through on second attempt, etc...

good on principle (the .gif), but you'd have to have an open text input and ignore capitalization, not offer a multiple choice.

0
0

Re: Re: That explains the spelling mistake.

I don't think so, it has merely become more pernickety.

0
0

how do you defeat captcha

It seems as if captcha has a hole if silly random questions

solves the problem and plain random ones do not.What I am

getting at is that captcha the idea still works but there is a perfectly

normal exploit going on to defeat it and that needs patching. I can

think of a few proto holes that might exist right off the bat but

I don't develop for the program.

0
0

Just wait for the Turk...

The more exotic approaches only work because they're not common enough to warrant a spammer defeating them. If somebody comes up with a system that actually works and it gets widely used the spammers will get round it. If it's computationally not feasible to solve the problem the spammers could resort to a system similar to the Amazon "Mechanical Turk" and pay a group of poor people in another country to do it: Trojan sends captcha to server which displays it for some poor shmuck who gets $0.01 for every 10 he solves and the result is returned. If he's good he could well earn 1c every minute which is $6 a day (on a 10 hour day.) There are still many countries where $6 is a very good wage.

I suppose such techniques could be made less effective by limiting the time the user has to solve the captcha but they we'd be discriminating even more against the disabled for whom they're difficult enough as it is. Streaming, animated, video captchas anyone?

0
0

Why pay a turk?

I've heard of some porn sites advertising free images protected by a captcha. Thing is that the captcha is actually an image from some other site. So the dope enters it in, playing the unsuspecting turk.

And if they really wanted to make it tough to thwart, their malware would turn the infected user into a turk. That is, suppose someone wants to sign up to yahoo, but their computer is infected. The malware can then pre-fetch a failed signup, so when the user does the captcha, the malware registers its spamaddress instead, and throws up a 'failed captcha' page. The user figures they misread an 8 for a B, and registers a second time, this time going through, none the wiser that two accounts were made.

I'm not sure how to combat that level of trickery.

0
0
Anonymous Coward

Discuss

"Lately, I have seen a great many flamewarriors correcting each others' spelling/grammar/punctuation, etc.

Question: Has this resulted in a more urbane and erudite flame culture?

Discuss."

In the UseNET days typos were generally ignored because it was usually the result of clumsy fingers. These days however more and more people are demonstrating blatant lack of skill in both spelling and grammar. These are not second-language english speakers we're talking about - its often people who have no exuse.

0
0
This topic is closed for new posts.