Hats off to them...
I had to fill in a GMail CAPTCHA today - it took me two goes and a lot of squinting to read it myself. And I think I'm human...
Spammers crack Gmail Captcha
Spammers, fresh from the success of cracking the Windows Live captcha used by Hotmail, have broken the equivalent system at Gmail. Internet security firm Websense reports that miscreants have created bots which are capable of signing up and creating random Gmail accounts for spamming purposes, defeating Captcha-based defences …
-
Monday 25th February 2008 19:00 GMT Anonymous Coward
Holiday in Cambodia
Where the people dress in Black...
With that tag-line, I've now got several Dead Kennedys tracks going round in my mind, and this will have to be dealt with by playing said tracks at maximum volume which will annoy the wife.
I can't quite see the connection between the tag and the article, but maybe I'm just too semantically blinkered!
-
Monday 25th February 2008 20:26 GMT Morely Dotes
Trivially defeated
Making the zombies work harder is the solution.
Current captcha cracks against Google are only successful 1 time in 5 (20% successful). By chaining three captchas together, Google could reduce the success rate to a mere 0.8%, or one in 125 attempts.
While I don't think captchas are especially good security, this simple step would be an interim measure while something truly effective is developed.
-
-
Monday 25th February 2008 20:32 GMT Stu
Other techniques
I'd wager their sophisticated OCR tech actually only matches one in a hundred captchas. You know, the poorly generated ones that an amoeba could read. The article mentions only 500,000 accounts generated by the HotLan trojan, if it were more sophisticated at reading I'd imagine this figure would be in the millions.
In which case, Google and MSN should just limit multiple captcha page retries and block access from specific IP addresses for several hours if its deemed to be trying too often.
...Or does it match good enough to work on the first, second or third try of a captcha in most cases? That would work.
Unless the spammers could go into legit business with incredibly sophisticated OCR technology, I doubt they're THAT clever - just that GMail and MSN aren't that reactive to such threats.
But I dont really know...
-
Monday 25th February 2008 20:32 GMT Barry Rueger
There's Money to be made...
For the person who is ready with a new, secure, backwards compatible, and spam proof e-mail replacement when the existing system finally collapses in a year or so. Someone needs to rethink this from the ground up as the current e-mail technologies just aren't adequate, and there are far too many circumstances where whitelisting isn't practical.
-
Monday 25th February 2008 23:46 GMT tfewster
Re: Bot army now with human servants?
> So apparently Russians are paying people to correctly identify captcha strings for their bots?
That's how I read the Websense article; And the second host appears to be (doing a bad job of) trying to crack the Captcha programatically, so Man is still ahead of Machine.
But why don't the bad guys just pay people to create accounts for them? Surely none of their "workers" think that getting paid just for reading Captchas can be legit? Or does GMail disallow 2 signups from the same "source"?
-
Monday 25th February 2008 23:46 GMT Anonymous Coward
mal-formed
my favourite types of 'captcha' are the ones which dinnae tell you in advance whether or not the code is case sensitive... or tell you it is and then present you with a letter which looks the same in both upper and lower case... or make no distinction between capital I [eye], lower case l [el] and the number 1 [one] .... or between the letter O and zero...
and dinnae even get me started on sign up forms which ask you to pick a username or password and then *only* after you've submitted the form, throw an error in your face, telling you that 'your username needs to be at least six characters' or 'your password must contain at least one number'..... so you change your username/pass from the ones you wanted to use to ones that conform to the whims of the form designer and then have to write the feckers down, so you willnae forget them - which kinda defeats the whole purpose of having a login/pass in the first place!
-
This post has been deleted by its author
-
-
Tuesday 26th February 2008 04:02 GMT Anonymous Coward
@Stu
"In which case, Google and MSN should just limit multiple captcha page retries and block access from specific IP addresses for several hours if its deemed to be trying too often."
Which would have blocked me the other day as it took me multiple failed attempts to work out that the Hotmail CAPTCHAs don't work in Firefox!
You can put the right characters in as many times as you like, it always fails until you try IE (didn't check with Opera)
-
Tuesday 26th February 2008 04:02 GMT Anonymous Coward
And so it continues
One of the biggest problems is a particularly nasty piece of scumware called XRumer. It cracked the phpBB2 CAPTCHA some time ago and it looks like it'll add "support" for Gmail, Windows Live and Yahoo in due course. If you've ever had to do admin for a forum and delete hundreds of spam registrations with generic details such as random countries for location or bland descriptions for occupation you'll have come across its after effects.
I don't think coming up with increasingly obscure and technical ways is really the best way to deal with spam and malware. This isn't some bored teenage cracker trying to show off his l33t h4x0r skills but a bunch of crooks with plenty of time and (often stolen) money. The problem of botnets is a bit like someone who doesn't realize they own a toxic waste dump that's polluting a river. Sure someone downstream might come up with a way of removing some of the pollutants and stop it affecting them, but the source is still there.
Bots generally have a pretty distinctive "signature" for the type of traffic they produce. You can usually guess a pwned machine from the headers of a spam email or a failed semi-automated attempt at registering on a forum. It's likely that the owner of the machine (as opposed to the bot herder) is unaware that they don't have full control of what happens on it and they would probably be shocked to know a criminal gang is using it for nefarious purposes. One problem is that people don't always understand the importance of keeping a machine patched ("I don't use that feature so why should I care?") and even if they do it isn't physically possible to do so because MS have decreed that it's reached the end of its life. The audience on El Reg will understand this, but someone who just uses an old Win98 computer for a bit of email and word processing probably wouldn't.
I think one way to address this would be a "your machine is infected. Do this to fix it or you will be disconnected" letter sent to the owner of that IP address (make sure it's sent to the right place!) along with a mandatory requirement for MS to continue to update its operating systems until the usage is so small that any impact will be minimal. Changes to the OS kernel mean that a lot of old DOS viruses don't work under Windows, open mail relays are somewhat a thing of the past and rogue diallers were pretty much killed off by broadband. However it's difficult to lock down an old Windows box with gaping holes when MS refuses to patch them.
-
Tuesday 26th February 2008 04:02 GMT Grant Alexander
passwords and logins
@madra
kevin mitnick, the famed ex-hacker now security adviser, recommends that people select very complex passwords and that they write them down, and keep them somewhere safe - like in their wallet with the other valuable paper.
too many people choose lame passwords and if we try to force people to adopt more secure passwords, there is a huge resistance. personally i try to use passphrases of a sort. the downside is i am a slow typist - but that is the price i pay for being security conscious.
-
Tuesday 26th February 2008 04:02 GMT Shannon Jacobs
No, heads off the spammers
Diabolical ingenuity should *NOT* be rewarded.
Spam email is an economic problem, and no technical or legal or medical or non-economic solution is going to fix it.
One solution would be to fine anyone who helps spammers. That would eliminate the free email accounts and free website hosts, but at this point I think it would be worth it. In Japan, I'd hope the ISP Dion would go bankrupt on their spam-support fines.
-
Tuesday 26th February 2008 04:09 GMT Mark Simon
The irony of it all ...
Are these the same spammers who invented image spam? When spam filters started using OCR, they started to distort the image to bypass this.
So, if I understand correctly, captcha is a technique used to disguise spam, and make it harder for humans to register. it is machine readable by spambots but not spam filters.
If I understand correctly.
-
-
Tuesday 26th February 2008 04:09 GMT Anonymous Coward
@ Morely Dotes
Good thinking. Instead of identifying numbers and/or letters, the random question might ask what colour the letter i is or which character is uppercase, which character is Chinese, etc. And, as mentioned above, blocking the IP from creating an account after creating an original account would help too.
-
Tuesday 26th February 2008 09:04 GMT Gabor Laszlo
@And so it continues
I'm a phpBB2 forum admin, and when the bogus accounts started to appear (they would register but couldn't activate - I use confirmation emails, obviously not an option when signing up for an email account:) So I just added a nonstandard mandatory field in the registration form. Problem solved, haven't seen hair or hide of bots since then.
-
Tuesday 26th February 2008 09:09 GMT Anonymous Coward
CAPTCHA
CAPTCHA does not stand for "Completely Automated Public Turing test to tell Computers and Humans Apart"; As a previous poster said, it's the reverse of a turing test.
There's something wrong with the elreg glossary, because this comes up EVERY time there's a story about CAPTCHA's.
The correct wording is:
Completely Automated Program to Tell Computers and Humans Apart.
That's not that difficult, is it?
They're also known as REVERSE Turing tests, for the above reasons.
Grrrrrr
-
Tuesday 26th February 2008 10:43 GMT Anonymous Coward
Websense is toooo late
Just wonder how late could be security firms when they are so commercialized.
The story of Gmail Captcha crack was published 10 days ago in Russian IT news. You can find it in English (read my lips: no need for a tutor)
http://webplanet.ru/english/2008/02/15/google_captcha_en.html
And yes, the spammers use humans (biobots) to break captchas for money.
These are many sites for this business around the world -
Look2Earn.com, RabotaOnline.com, grand-sale-5.com, x999.info etc
And while sleeping GMail is open for spambots, some Russian web-mail services already started to use more serious captchas where you have to choose the recognized signs one by one from a virtual keyboard, and the captcha alphabet could be changed in a moment (not just digits or letters but any pictograms like road signs can be used).
Here are the details, but now it's in Russian only (just for fun):
http://webplanet.ru/knowhow/security/designer/2008/02/21/mail_captcha.html
-
Tuesday 26th February 2008 10:59 GMT zedee
Re: AC - And So It Continues
[I think one way to address this would be a "your machine is infected. Do this to fix it or you will be disconnected" letter sent to the owner of that IP address (make sure it's sent to the right place!)]
The now defunct Metronet ISP had this in their Ts and Cs - if you were getting bot traffic or had an open smtp relay you got your connection cut. They had some very funky network monitoring stuff and account self-management tools before they got Borged by Plusnet.
-
Tuesday 26th February 2008 11:17 GMT Hugo
Web 2.0 CrowdSpamming in action!
Re: Bot army now with human servants?
> So apparently Russians are paying people to correctly identify captcha strings for their bots?
That's also how I read the Websense article. When I first had a play with Amazon's Mechanical Turk I thought it would be perfect to farm out CAPTCHAs for real people to type in for a cent a pop, and that's what they're doing here.
Now that's Web 2.0!
http://creatr.cc/creatr/logo/CrowdSpamr.png?1204024057
(And whilst you're at it, why not, as these spammers appear to, have your own bot have a go and compare it with the correct human to help learn do it automatically and save those few cents and speed it up considerably.)
-
Tuesday 26th February 2008 11:35 GMT Anonymous Coward
Let google use their images game ...
you know the one where they pair you up with some other saddo and show a series of images and you both type in words to describe the image. If you match you get a new image and some points.
So at least for gmail, show an image(s) and ask for a word to describe, if you match more than n% then accept.
Downside is that it becomes language and spelling specific and there are too many images that just have tags like "man", "girl" etc. Also very variable and more time consuming.
Further down with all of these is it's hard for people with visual impairments who may rely on text to speech systems or if you are using a text only browser (lynx).
-
Tuesday 26th February 2008 11:35 GMT Karl Lattimer
1 in 5
1 in 5 = 20%, 20% is not a low percentage when its performed regularly, quickly by computers.
If it can test 5 accounts per minute, that's 1 new account per minute, that's not a minor issue...
Small percentage would of course have to be relative to the number of accounts the system can break in a given time frame otherwise its meaningless.
-
Tuesday 26th February 2008 12:10 GMT Anonymous Coward
phpBB2
Posted anon because my forum gets enough attention from spammers as it is (I made the first post above about phpBB2), but I find the text confirmation mod for phpBB2 works quite well. The trick is to ask the right type of questions (the sweatshops that handle spam registrations can answer "what is 2 + 2" with little effort) and I've gone from 10 - 20 a day to none. I still have to delete the "registration attempt failed" emails but a couple of mail server rules do that for me. The humanizer mod (which asks "are you a human?" worked for a while) but that's now been cracked.
Something I'd really like to see is use of XRumer made illegal (what legit uses does it have?) and the entertainment industry lawyers do something a bit more useful such as tracking down the spammers.
-
Tuesday 26th February 2008 13:20 GMT Robert Pogson
Humans
can read the Captchas for the bots... Set up bots to open accounts and route the captchas to a human who can learn and improve his speed. Pretty soon you will have humans able to type captchas at 60 per minute. A network of such humans could open hundreds of thousands of accounts daily. So, Google will have to go to plan B, which is... I have no clue.
-
Tuesday 26th February 2008 13:45 GMT Stu
LOL!
>The humanizer mod (which asks "are you a human?" worked for a while) but that's now been cracked.
Answer - "Negative, I am a meat popsicle."
...name the movie.
.
@Doc Dish - Funny that, every Google Captcha I've tried I've only failed it once or twice at most. I've done quite a few in my time too. True though that Captchas on some sites r so bad its taken me maybe 3 or 4 attempts, no more.
.
@Will -
>Imaging a animated GIF captcha swirling in an infused cloud of incandescent murkeyness.
Actually thats not a bad idea, people are better at seeing patterns in motion, kind of like picking out soldiers in forests, can be seen better if they move around. Might make some people sick tho!!!
-
Tuesday 26th February 2008 16:42 GMT Anonymous Coward
random questions
Still use an image or audio file, but have it ask a question
"Which number is smallest?", "Which number is largest?", "Which shape is a circle?", "Which of these images is a cartoon cat?", "Which of these pictures is a real cow?", "Which of these images is a photograph?"
For the vision impaired, an audio question and audio options could be used.
It means the user must actually make sense of the question. Of course, you'd need enough options for answers that chance wouldn't be 1 in 5 to make a difference. Use maybe 8 or 10 possible answers, and only allow one miss.
-
Tuesday 26th February 2008 22:11 GMT Martin Usher
Age is sometimes the answer
>The audience on El Reg will understand this, but someone who just uses an old Win98 computer for a bit of email and word processing probably wouldn't.
Actually I wish that were the case. Someone who has such a machine and uses it sporadically isn't a threat. Its the people who've got their PC directly attached to their cable or DSL modem who leave the thing up 24/7 that are the problem. There are a lot of people like that out there and many are completely clueless about how computers work. We don't normally move in such circles so when we do have to deal with these users -- as I was recently (an elderly friend) -- its the very devil to get them to understand that when a web page says "you've got malware, click here to remove it" that the last thing you should do is follow those instructions! (Fortunately I've got her system rebuild down to a fine art -- I've been thinking of mirroring her disk so I just have to press the button.......)
As for the CAPTCHA code, I'm almost tempted to have a crack at it myself. This is the kind of puzzle that's fun. But just as cracking encryption is the price you pay for getting better quality encryption all this is going to do is improve the quality of the CAPTCHA algorithms. Its an arms race, and a fun one at that.
-
Wednesday 27th February 2008 16:32 GMT Anonymous Coward
Re: CAPTCHA
>> CAPTCHA does not stand for "Completely Automated Public Turing test to tell Computers and Humans Apart"; As a previous poster said, it's the reverse of a turing test. The correct wording is: "Completely Automated Program to Tell Computers and Humans Apart."
Um: http://www.captcha.net/ (© 2000-2007 Carnegie Mellon University)
"The term CAPTCHA (for Completely Automated Turing Test To Tell Computers and Humans Apart) was coined in 2000 by Luis von Ahn, Manuel Blum, Nicholas Hopper and John Langford of Carnegie Mellon University."
That fact that the name is misleading doesn't mean it's not the name.
-
Wednesday 27th February 2008 23:48 GMT conan
Turing Porn Farms
I was reading on wikipedia the other day about "Turing Porn Farms" (er, I searched on the term "turing", honest), which are apparently a clever way around these CAPTCHAs. You just set up a free porn site, and require folk to fill in a CAPTCHA to access it; because you can rely on a fairly constant stream of people signing up to your porn site, you can just scrape the CAPTCHAs from gmail or livemail or whatever in real time, and use the results to sign up for dummy accounts. Nifty, eh?
-
Friday 29th February 2008 11:25 GMT Anonymous Coward
What is the purpose of a Turing test?
What is the primary purpose of a Turing Test?
Is it to test if a human can tell a computer and a human apart?
Or is it to test if a computer is able to convince a human that it itself is human?
If it is the latter, it really is secondary whether the ‘judge’ is human or – as is the case with Captcha, the judge is another computer.
So, nothing ‘reverse’ here, eh?
Paris, because I'm sure Captchas are keeping HER from passing.
This topic is closed for new posts.
Biting the hand that feeds IT
