Feeds

back to article Automated crack for Windows Live captcha goes wild

Spammers are using a sophisticated piece of software that can create thousands of Windows Live email addresses by cracking the protections designed to prevent the large-scale creation of fraudulent accounts. According to security firm Websense, the bot is surreptitiously installed on the PCs of end users. It then establishes a …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

@Stefan

http://www.hotcaptcha.com/

0
0
Coat

@theotherone

"Q- If Billy has 3 apples, and gave John 2 of them, then who won the world cup in 1996?"

Now that's one I can't answer. I don't know what sport you're talking about. There was no football or rugby world cup played in 1996, for instance. Does Tiddlywinks use a cup?

# mv ${coat} > ~/

0
0
Flame

@theotherone

In fact it was Sri Lanka by 7 wickets. But I'm sure a computer can work that out.

0
0

@theotherone

If that became common practice as a captcha, I'd do it by finding the question mark in the statement, then taking all the words back to the first punctuation mark it finds (in this case the comma, so "then who won the world cup in 1996" being the string I've got), then stick that string into a few search engines and look at what the most recurring words are that aren't included in the string you're passing in. This would work better if you specified the actual sport.

0
0
Pirate

Automated webpage security

These spammers typically use sofware that either:

a) Uses javascript or Windows API interactions to navigate the DOM of the "Create New Web Account" to select-from/fill-in the controls on the form before simulating the relevant control interactions (eg. button clicks) to cause the postbacks.

b) Generates a proxy page that transmits the correct values to the receiver page. They'll often spoof the page path/name and domain to make it look legitimate enough to bypass any basic security checks

c) Uses any unsecured web services that are designed to automate server interactions (such as account creation) for legitimate customers/partners. Due to the rise of AJAX people are creating web services more and more often these days and a lot of people forget to secure them adequately (merely using the SOAP protocol does not guarantee an adequate level of security).

In Microsoft's case I doubt they are stupid enough to be caught out by either (b) or (c) which leaves (a) as the most likely scenario.

In this case, in addition to using a Captcha image the server-side page that renders the "Create New Mail" could also start randomizing client control names/ids per request by a validated IP session (tracking the randomized names on the server so that when they are posted back it knowns how to correctly translate them). This would make it very difficult to write code to target those controls and they'd have to resort to using index values (eg. the first textbox control = firstname) which you could foul-up by generating a random number of fake masked controls on the page to mess up the index ordering.

Also judicious use of secured Flash or Silverlight controls for data capture with no exposure of internal object names or programmatic control methods (basically make human interaction the ONLY means to interact with the flash object) can make like difficult for spammers too.

0
0
Anonymous Coward

@Hayden Clark

so? Nothing important goes to that mail address - change it. Also as you only have X number of known people delivering mail to the address just bounce anything not from those people.

It's pretty simple if you're bothered.

Me I'm not all that bothered - the spam in my c--p mail box amuses me.

Apparently there is an office in america that has a cheaque for £5 for me!

Also a rogue millionaire who wants to share his secret! Apparently people are after him, I just need to click the link to find the answer da da daaaa

There are also some sexy adults looking for a good time in my local area apparently!!

And a rolex watch that I should look at!

Seriously spam mail amuses me no end on a slow day through a text only client.

Anyway I realised what the closest comparision to the modern internet is.

Free local papers and that junk mail you get through the door. The whole thing is trash sponcered by rubbish adverts and unwanted junk. O well.

0
0

Re: Plus Address

A email in this form name+string@domain.com surely will not fool spammers, they just disgard the information after the +

0
0
Coat

@Jared Earle

"# mv ${coat} > ~/"

Fail. cant redirect stdout to a directory.

0
0
Paris Hilton

@worldcup 1996

well, there you go, that's proof of concept innit? If humans are having a bloody hard time answering it, I'm sure computers will be buggered by it, and spammers will probably move on...

Hilton...cause she knows her "score" in 1996...

0
0
Paris Hilton

Best Solution!

Use get out of the basement and meet people face to face!

Paris thinks the "basement" is a erogenous zone.

0
0
IT Angle

Instant Messages

No idea if this is related but I received a spam instant message from a random address, sending me a link to a website to download a MS Dos file of some kind.

The ol' "I've found some pictures of you!" scam... I think the url they sent me too was image-bin.com or something along those lines.

0
0
Thumb Up

not even new

good spam outfits have ocr software to read the captcha and send back a valid response approaching 99.5% of the time. The system described in the article is just a newbie typer system when the captcha is fetched using curl and appears on another web site for a "typer" to read and send back. Same technique is used for autoranking bots for several online games that use captchas.

0
0

Spammers...

are simply using the algorithms developed for mmo games. In most games, the only way to interact with the system is through image recognition and simulated input events, because the game contains code against traditional hacking. The solution used there is to OCR the whole screen, extract the required data (like location of a mob) and generate the input events (like attack). Using the same technology for capcha decoding is possible. The human vision system is well understood and there are good neural models that can give almost the same precision. There are cases when the captcha is so distorted that a computer has better chances to undersand it, than humans.

The problem is that if you require some intelligence to solve the problem, then some users won't be able to use the service. If you make it hard but dumb task, a neural algoritm can be used to defeat it. And computers are getting better than some people.

For mass mail detection, a distributed database would work, where every email is recorded, fingerprinted and checked. If a mail matches one of the known spam mails, the spam can be revoked from all participating servers on the internet. The problem with this solution is that this lends itself to political censorship. Actually the chinese government tries to do exactly this with every email and blog within china, that contains any political meaning. A working, but usually nonpolitical version is used by some izraeli email providers to flag and filter spam emails. If a mail hits more than one of their user accounts, they flag it as spam and if a user indicates that it's truely a spam (by clicking), they remove it from all other accounts. The result is that at most only one user sees every spam they get, no matter how many users get them in the inbox. Connecting multiple servers (and providers) decreases the redundancy of the checks and the amount of displayed spam.

0
0

All rubbish

This why places like Facebook get so popular. I've not e-mailed any of my friends in ages- I just send them a message on FB. That way I know it actually gets through and gets noticed...

Really, the best CAPTCHA is one that you make yourself. Well, to a limit- if you make a crap one you'll get everything you deserve. One of the more effective solutions I made at my work was to create a form field labelled "Do not fill this field in", given it the name "email" and hidden it with CSS. A bot doing a DOM scan will pick it up and shove some text in there, and they'll fail validation.

Obviously, that could be (and eventually probably will be) circumvented within 10 minutes if one of these talented spammy programmers took the time- but they don't. We're just one (minor) web site, so they never notice.

0
0
Thumb Up

@Spleen

Nice idea. How about storing a large database of images, each of which is tagged with a number of keywords. Thus the user can be presented with a random selection of images and asked to "Select all animals", "Select all buildings" or "Select all cats".

0
0
Gates Halo

DO A CREDIT CHECK

Take £1 from their account and then put it back in a day later. That would stop automated registration :)

0
0

about flash captchas..

flash captchas are even easier to crack than standard image captchas bc flash stores the info from them on the hard drive making it even easier to write a psuedo ocr for using the stored info to determine the correct response. several online games have tried this already and went back to image captchas.

0
0
Bronze badge
Stop

@Pascal

Your method of sending a flash animation is just as easy to break as any existing solution. Mouse clicks don't get sent over the internet, they are simply messages in a queue on your local machine. When the flash application gets around to polling the message queue, it notes the message and can react to that. At the end of the day, your security model involves you trusting the communications from the flash running on the client when it says the click occurred at the right moment.

The best method I have seen is a combination of some form of captcha and some obscurity techniques. You can create form elements, but use CSS to make sure certain elements are never visible to the user. Most bots will randomly fill in different fields (particularly if they have a common name like Password), but because you know that a user could not have seen that field, anything that filled that field must be a bot. It is not foolproof, someone studying your CSS would discover this trick and could code around it, but it might be sufficiently annoying. You can not outrun a lion, but you can usually outrun the bloke behind you.

0
0
Paris Hilton

only for the English speakers

all of the question based captcha schemes suggested here would only let English speakers in

I've heard this is something Paris also does

0
0
Silver badge
Alien

Mars Believe Captcha .......... Base Space Stations Docking?

"The Nintendo Wii has a good email system implementation.

When you add an email address to it's address book it emails the address with a confirmation message. You can then approve or deny receiving email from the Wii.

Obviously this implementation is all in the client and to work for computers it would need to be part of the server implementation.".... By Giles Jones Posted Friday 8th February 2008 10:14 GMT ..... A Very Honourable Validation Service, Mr Jones. Sublimely and Supremely/SuperMemely HyperRadioProActive. And something to be QuITe XXXXPected of Pensive Eastern Wisdoms/Personal Universal Protocols.

....... AI Space Confederation Alliance with all Base Players Totally Aware of Information and ITs Appeals/Drivers.

"Their purpose is to present a problem that, using present levels of technology, can (hopefully) only be solved by a human -- but not so hard a problem that any humans would be "left out" or so arduous that the human is dissuaded from proceeding. And, in order for them to remain effective, they must be able to be dynamically generated; if a human must generate them (such as creating a question / answer pair) then the attackers / spammers can just cache the proper answers in a database. (My definition.)" .... By Robert Posted Friday 8th February 2008 12:55 GMT ........ A Definition of Virgin Viable Source 42 Build with ...... Boldly Go .........Jump, Robert.

IT would certainly be One that I would Recognise as Available.

"Use get out of the basement and meet people face to face!

Paris thinks the "basement" is a erogenous zone." .....AC, Paris in the basement would be an erogenous Zone. And Beautifully Dangerous in UltiMate Pleasures. :--------) ;-)

If e-mail does not Provide Guarantee in Service of Delivery then Important Delivery messages will be BroadbandCast to the Web in a Personal Blog/Forensic Record of CyberActivity....... Thus removing the Offered and Confered Advantage to E-Mailed "Clients". That is far too much like shooting oneself for no good reason to be wise and practised. However .......... the world is a strange place with all sorts at their Work, Rest and Play.

Which you Gotta Admit, is One Helluva Turing Test in Magical Mysteries for Creative Controls..... Generative Power of Parallelling Intellectual Property. AIMining of Minds in XXXXChange for the Battle of Wills.

0
0
Stop

All missing the bloody point.

Using Captchas to stop spammers is like trying to stop the horse as it legs it out the stable door.

Rather than spending all that creative geekness on devising new and more irritating ways to annoy people signing up for your service, we need to be looking at making spamming an unattractive business to be in.

How? Don't ask me cos I don't know (I wouldn't be so poor if I did) but it's probably not something that can be done with technology alone. Are we really intending to play this cat and mouse game with the spammers forever? Eventually either Tom or Jerry has to grow up and end the game.

0
0
Thumb Down

I told you so!

Sorry but I work this out months ago, its not even hard to build apps with ocr these days, even a 6 year old could. I love the comments about how people think spammers are stupid can cant code, hahaha would you like a Degree with that MCSE? Hey when some people say thats a stupid method, keep thinking what you like and get your self another rentacoder. You want it safe and stoped. Do it ast ISP level. There is no reason a ISP connot block you going to ilegal sites or stopping spam been sent out or comming in. But do give us a choice if we can select this option ON or OFF. Why do people always try fix the problem at the bottom of the chain. If its blocked spammer would stop for good, why would they even bother. Then again they might already be tracking everyones activity and can fit another software layer ontop, lol

0
0

Yes, but...

They can register all the email addresses they want, but someone is going to have to do a LOT better than the idiotic drivel I get for spam before they get me to open it, let alone click on anything.

Even my mom, who isn't very computer savvy, doesn't open spam - so it doesn't take computer smarts.

That's the only way we'll ever end the spam epidemic, for people to wise up.

Sadly, that's also why we'll never end the spam epidemic. Even the relatively small percentage of hopeless morons in the world is profitable for spammers.

0
0
Paris Hilton

Apologies if this has been mentioned already...

Instead of trying to deduce the captcha string heuristically or by serving the images in return for free porn, if I was a spammer I'd be serving them one after the other to some poor hired hand on a piece rate per correct answer.

Paris 'cos that job could be right up her street - apparently she needs the money these days.

0
0
J
Pirate

No, no...

All wrong. You guys have got no clue.

The way to really stop spam is... Voodoo CAPTCHAs!

Here's how it works: do whatever, preferably nothing. Then ask a witch doctor to put a spell on your registration mechanism, or whatever bloody thing it is you're doing. For the spell... something sweet and simple will do, say: registering for spam purposes? OK, the author of the bot instantly get an incurable testicular cancer -- or other body part of your choosing, of course. Ask your local witch doctor what would be preferable. What about random organs? Organ of the day?

But that's not all, the most important comes now! The CLIENT of the spammer gets an incredibly painful brain tumor -- fatal, of course. OK, the brain itself does not really hurt, you will say, but any respectable witch doctor should be able to take care of that...

If you implement my strategy, I assure you that spam traffic will be reduced to 1.3% of current levels in a few days. You're welcome.

0
0

simple idea?

If your faced with CAPTCHA your likely to enter your throw away email anyway, so why not have the CAPTCHA emailed to you and then you enter it as a double verification. Nothing is seen by bots and im sure they don't want the task of spamming themselves before spamming others

0
0

Page:

This topic is closed for new posts.