Spammers, fresh from the success of cracking the Windows Live captcha used by Hotmail, have broken the equivalent system at Gmail. Internet security firm Websense reports that miscreants have created bots which are capable of signing up and creating random Gmail accounts for spamming purposes, defeating Captcha-based defences in …
Hats off to them...
I had to fill in a GMail CAPTCHA today - it took me two goes and a lot of squinting to read it myself. And I think I'm human...
No, no, no. CAPTCHA is the opposite of a Turing test - A Turing test is a human trying to tell a human and a program apart, a CAPTCHA is a program trying to tell a human and a program apart.
Holiday in Cambodia
Where the people dress in Black...
With that tag-line, I've now got several Dead Kennedys tracks going round in my mind, and this will have to be dealt with by playing said tracks at maximum volume which will annoy the wife.
I can't quite see the connection between the tag and the article, but maybe I'm just too semantically blinkered!
Where can I buy this software?
As someone who has problems trying to read the letters in captcha images, I could do with some help.
Can I get a copy?
I had to reset my brother in law's Hotmail password for him (yeah, I know, he's a tyre fitter, what can you expect) and I couldn't read the bloody captcha so respect to anyone who's written software that can.
Making the zombies work harder is the solution.
Current captcha cracks against Google are only successful 1 time in 5 (20% successful). By chaining three captchas together, Google could reduce the success rate to a mere 0.8%, or one in 125 attempts.
While I don't think captchas are especially good security, this simple step would be an interim measure while something truly effective is developed.
"Stealing People's Mail"...
... is the presumably the correct DK track the semantically challenged amongst us should be listening to right now.
Actually, it's the work of people who write captcha-reading software that makes captcha's harder and harder to read by humans. So, if you have a hard time reading captcha's, you should be AGAINST those who write software to read them.
Bot army now with human servants?
So apparently Russians are paying people to correctly identify captcha strings for their bots?
We all know that Google GMail can't be used for spamming. That's what Google says every time they ignore your complaints about spam coming from their mail servers.
I'd wager their sophisticated OCR tech actually only matches one in a hundred captchas. You know, the poorly generated ones that an amoeba could read. The article mentions only 500,000 accounts generated by the HotLan trojan, if it were more sophisticated at reading I'd imagine this figure would be in the millions.
In which case, Google and MSN should just limit multiple captcha page retries and block access from specific IP addresses for several hours if its deemed to be trying too often.
...Or does it match good enough to work on the first, second or third try of a captcha in most cases? That would work.
Unless the spammers could go into legit business with incredibly sophisticated OCR technology, I doubt they're THAT clever - just that GMail and MSN aren't that reactive to such threats.
But I dont really know...
There's Money to be made...
For the person who is ready with a new, secure, backwards compatible, and spam proof e-mail replacement when the existing system finally collapses in a year or so. Someone needs to rethink this from the ground up as the current e-mail technologies just aren't adequate, and there are far too many circumstances where whitelisting isn't practical.
Re: Bot army now with human servants?
> So apparently Russians are paying people to correctly identify captcha strings for their bots?
That's how I read the Websense article; And the second host appears to be (doing a bad job of) trying to crack the Captcha programatically, so Man is still ahead of Machine.
But why don't the bad guys just pay people to create accounts for them? Surely none of their "workers" think that getting paid just for reading Captchas can be legit? Or does GMail disallow 2 signups from the same "source"?
A web site I frequent must not have too much of a problem with CAPTCHA crackers - their CAPTCHA image consists of four or five GIFs string together, a la 1.GIF 7.GIF 3.GIF 2.GIF 9.GIF.
More Dead Kennedys
Given the amount of spam pushing penis enlargement, surely the correct Dead Kennedys track is Pull My Strings - "is my cock big enough, is my brain small enough ..."
my favourite types of 'captcha' are the ones which dinnae tell you in advance whether or not the code is case sensitive... or tell you it is and then present you with a letter which looks the same in both upper and lower case... or make no distinction between capital I [eye], lower case l [el] and the number 1 [one] .... or between the letter O and zero...
and dinnae even get me started on sign up forms which ask you to pick a username or password and then *only* after you've submitted the form, throw an error in your face, telling you that 'your username needs to be at least six characters' or 'your password must contain at least one number'..... so you change your username/pass from the ones you wanted to use to ones that conform to the whims of the form designer and then have to write the feckers down, so you willnae forget them - which kinda defeats the whole purpose of having a login/pass in the first place!
Back to Invite-Only
It was kind of neat when Gmail was invite-only. Felt like you were in some special club or something.
How about having to crack the first 3 levels of bricker or pac man before your sign up is accepted. Now we are talking!
Imaging a animated GIF captcha swirling in an infused cloud of incandescent murkeyness. That would stump everyone. Top marks.
@Jacob Reid - that had always bothered me too...
Also, what's with the Dead Kennedys ref? Or is it the DKs refering to somethig else?
"In which case, Google and MSN should just limit multiple captcha page retries and block access from specific IP addresses for several hours if its deemed to be trying too often."
Which would have blocked me the other day as it took me multiple failed attempts to work out that the Hotmail CAPTCHAs don't work in Firefox!
You can put the right characters in as many times as you like, it always fails until you try IE (didn't check with Opera)
thats a shame, but Google Mail is still light years ahead of every other mail service on many fronts so i'm still voting for them
And so it continues
One of the biggest problems is a particularly nasty piece of scumware called XRumer. It cracked the phpBB2 CAPTCHA some time ago and it looks like it'll add "support" for Gmail, Windows Live and Yahoo in due course. If you've ever had to do admin for a forum and delete hundreds of spam registrations with generic details such as random countries for location or bland descriptions for occupation you'll have come across its after effects.
I don't think coming up with increasingly obscure and technical ways is really the best way to deal with spam and malware. This isn't some bored teenage cracker trying to show off his l33t h4x0r skills but a bunch of crooks with plenty of time and (often stolen) money. The problem of botnets is a bit like someone who doesn't realize they own a toxic waste dump that's polluting a river. Sure someone downstream might come up with a way of removing some of the pollutants and stop it affecting them, but the source is still there.
Bots generally have a pretty distinctive "signature" for the type of traffic they produce. You can usually guess a pwned machine from the headers of a spam email or a failed semi-automated attempt at registering on a forum. It's likely that the owner of the machine (as opposed to the bot herder) is unaware that they don't have full control of what happens on it and they would probably be shocked to know a criminal gang is using it for nefarious purposes. One problem is that people don't always understand the importance of keeping a machine patched ("I don't use that feature so why should I care?") and even if they do it isn't physically possible to do so because MS have decreed that it's reached the end of its life. The audience on El Reg will understand this, but someone who just uses an old Win98 computer for a bit of email and word processing probably wouldn't.
I think one way to address this would be a "your machine is infected. Do this to fix it or you will be disconnected" letter sent to the owner of that IP address (make sure it's sent to the right place!) along with a mandatory requirement for MS to continue to update its operating systems until the usage is so small that any impact will be minimal. Changes to the OS kernel mean that a lot of old DOS viruses don't work under Windows, open mail relays are somewhat a thing of the past and rogue diallers were pretty much killed off by broadband. However it's difficult to lock down an old Windows box with gaping holes when MS refuses to patch them.
I'd like to see software reliably tell bunnies & kittens apart.
I'd like to see bunnies & kittens!
passwords and logins
kevin mitnick, the famed ex-hacker now security adviser, recommends that people select very complex passwords and that they write them down, and keep them somewhere safe - like in their wallet with the other valuable paper.
too many people choose lame passwords and if we try to force people to adopt more secure passwords, there is a huge resistance. personally i try to use passphrases of a sort. the downside is i am a slow typist - but that is the price i pay for being security conscious.
Well tonight's the nice that we've got the truck
Gonna go downtown gonna beat up drunks
We'll ride oh how we'll ride
No, heads off the spammers
Diabolical ingenuity should *NOT* be rewarded.
Spam email is an economic problem, and no technical or legal or medical or non-economic solution is going to fix it.
One solution would be to fine anyone who helps spammers. That would eliminate the free email accounts and free website hosts, but at this point I think it would be worth it. In Japan, I'd hope the ISP Dion would go bankrupt on their spam-support fines.
The irony of it all ...
Are these the same spammers who invented image spam? When spam filters started using OCR, they started to distort the image to bypass this.
So, if I understand correctly, captcha is a technique used to disguise spam, and make it harder for humans to register. it is machine readable by spambots but not spam filters.
If I understand correctly.
Now they will have to come up with something even more annoying to authenticate humans.
@ Morely Dotes
Good thinking. Instead of identifying numbers and/or letters, the random question might ask what colour the letter i is or which character is uppercase, which character is Chinese, etc. And, as mentioned above, blocking the IP from creating an account after creating an original account would help too.
Taken by force
Considering the name of the author, perhaps that would be more appropriate.
So, they have finally found the...
No, I'm not wearing anything thanks!
@And so it continues
I'm a phpBB2 forum admin, and when the bogus accounts started to appear (they would register but couldn't activate - I use confirmation emails, obviously not an option when signing up for an email account:) So I just added a nonstandard mandatory field in the registration form. Problem solved, haven't seen hair or hide of bots since then.
CAPTCHA does not stand for "Completely Automated Public Turing test to tell Computers and Humans Apart"; As a previous poster said, it's the reverse of a turing test.
There's something wrong with the elreg glossary, because this comes up EVERY time there's a story about CAPTCHA's.
The correct wording is:
Completely Automated Program to Tell Computers and Humans Apart.
That's not that difficult, is it?
They're also known as REVERSE Turing tests, for the above reasons.
SAAS - Google stylie.
"'d like to see software reliably tell bunnies & kittens apart.
I'd like to see bunnies & kittens!"
What for, if you can't tell them apart w/o help?
Bunnies and Kittens
Bunnies and kittens, eh?
That could be more fun than you think! Look up the alternative meanings for "la chatte" (French) and "el conejo" (Spanish) sometime .....
Websense is toooo late
Just wonder how late could be security firms when they are so commercialized.
The story of Gmail Captcha crack was published 10 days ago in Russian IT news. You can find it in English (read my lips: no need for a tutor)
And yes, the spammers use humans (biobots) to break captchas for money.
These are many sites for this business around the world -
Look2Earn.com, RabotaOnline.com, grand-sale-5.com, x999.info etc
And while sleeping GMail is open for spambots, some Russian web-mail services already started to use more serious captchas where you have to choose the recognized signs one by one from a virtual keyboard, and the captcha alphabet could be changed in a moment (not just digits or letters but any pictograms like road signs can be used).
Here are the details, but now it's in Russian only (just for fun):
How about a new service from PayPal? Want to send an email that I'll read? Make a small payment into my PayPal account and attach a message.
Re: AC - And So It Continues
[I think one way to address this would be a "your machine is infected. Do this to fix it or you will be disconnected" letter sent to the owner of that IP address (make sure it's sent to the right place!)]
The now defunct Metronet ISP had this in their Ts and Cs - if you were getting bot traffic or had an open smtp relay you got your connection cut. They had some very funky network monitoring stuff and account self-management tools before they got Borged by Plusnet.
I run a phpBB2 board, is this method documented somewhere?
@ Barry Rueger
All the problems with email arise due to its acient design.
Trying to have a system backward compatable would just render the new system useless
The sooner we ditch the current system the better!
Web 2.0 CrowdSpamming in action!
Re: Bot army now with human servants?
> So apparently Russians are paying people to correctly identify captcha strings for their bots?
That's also how I read the Websense article. When I first had a play with Amazon's Mechanical Turk I thought it would be perfect to farm out CAPTCHAs for real people to type in for a cent a pop, and that's what they're doing here.
Now that's Web 2.0!
(And whilst you're at it, why not, as these spammers appear to, have your own bot have a go and compare it with the correct human to help learn do it automatically and save those few cents and speed it up considerably.)
Bunnies and Kittens? Bah, you're all missing a trick. What we want is a 'Pointless Blonde Celeb Line Up' where you have to pick out Paris Hilton and type the code that appears on the black plackard she's holding in profile :)
Let google use their images game ...
you know the one where they pair you up with some other saddo and show a series of images and you both type in words to describe the image. If you match you get a new image and some points.
So at least for gmail, show an image(s) and ask for a word to describe, if you match more than n% then accept.
Downside is that it becomes language and spelling specific and there are too many images that just have tags like "man", "girl" etc. Also very variable and more time consuming.
Further down with all of these is it's hard for people with visual impairments who may rely on text to speech systems or if you are using a text only browser (lynx).
1 in 5
1 in 5 = 20%, 20% is not a low percentage when its performed regularly, quickly by computers.
If it can test 5 accounts per minute, that's 1 new account per minute, that's not a minor issue...
Small percentage would of course have to be relative to the number of accounts the system can break in a given time frame otherwise its meaningless.
Posted anon because my forum gets enough attention from spammers as it is (I made the first post above about phpBB2), but I find the text confirmation mod for phpBB2 works quite well. The trick is to ask the right type of questions (the sweatshops that handle spam registrations can answer "what is 2 + 2" with little effort) and I've gone from 10 - 20 a day to none. I still have to delete the "registration attempt failed" emails but a couple of mail server rules do that for me. The humanizer mod (which asks "are you a human?" worked for a while) but that's now been cracked.
Something I'd really like to see is use of XRumer made illegal (what legit uses does it have?) and the entertainment industry lawyers do something a bit more useful such as tracking down the spammers.
Bunnies and kittens
kinda reminds me of that thing that did the rounds a while ago where you had decide whether a pic was of an upper or lower cleavage
can read the Captchas for the bots... Set up bots to open accounts and route the captchas to a human who can learn and improve his speed. Pretty soon you will have humans able to type captchas at 60 per minute. A network of such humans could open hundreds of thousands of accounts daily. So, Google will have to go to plan B, which is... I have no clue.
- Geek's Guide to Britain INSIDE GCHQ: Welcome to Cheltenham's cottage industry
- 'Catastrophic failure' of 3D-printed gun in Oz Police test
- Game Theory Is the next-gen console war already One?
- BBC suspends CTO after it wastes £100m on doomed IT system
- Peak Facebook: British users lose their Liking for Zuck's ad empire