back to article Trojan creates bogus webmail accounts to punt drugs

Miscreants have created a strain of malware capable of setting up bogus Hotmail and Yahoo! accounts in order to send spam. The HotLan-A Trojan uses automatically-generated webmail accounts, suggesting that spammers have found a way to bypass the Captcha system (which typically means accounts can't be created until a user …

COMMENTS

This topic is closed for new posts.
  1. Gabor Laszlo

    Ordinary captcha useless

    It has been for months. I run a forum and about six moths ago I started getting a constant stream of bots signing up _and activating the accounts (confirmation email)_despite the captcha. I looked around for a solution and found a simple one: include a simple random question in the registration form, something like "Are you a human?" or "How many toes do you have?" - something obvious to a person but enough to stump a bot. Ever since I did that I'm bot-free.

  2. Register Reader

    Huh?

    I'm a monkey, and I only have 7 toes - you insensetive clod!!

  3. Harry Stottle

    I understand the complexity of attacking the SPAM

    but I don't understand why we can't simply go after the intended beneficiary. If the SPAM is trying to sell a product, why not simply go after the person to whose site the SPAM directs us (or whoever eventually gets the money from the prospective sales). For obvious reasons, the beneficiary cannot hide. The SPAM source may be difficult to trace and block, but the money isn't.

    Am I missing something?

  4. Owen Carter

    Maybe the craptcha is done by the bot host.

    What I'd do is:

    1) Bot a Bod's PC

    2) Wait until aforesaid bod logs in.

    3) Take the Craptcha image from Hotmail/whoever and reframe it in a Windows dialog with a heading like

    'Microsoft Windows Genuine Disadvantage needs to verify a real user is accessing this Computer', 'Please enter the word contained in the image to verify you have not been a victim of software piracy..'

    4) Use that to create the account.

    5) Profit...

    Social engineering, sigh.. I know several people who would probably happily fill in 10 such craptchas a day if they believed it was genuine.

  5. kain preacher

    but I don't understand why we can't simply go after the intended beneficiary

    because they are not always the guilty party

    WHat happens some times is a web site contracts with a legit advertiser, that advertisers has affiliates that then does shady things .

  6. Anonymous Coward
    Anonymous Coward

    Re: I understand the complexity of attacking the SPAM

    The problem is that for someone to put a competitor out of business all they would have to do is spam like crazy directing custom to their competitor.

    Similarly a spammer could claim the spam they are benefiting from was from a malicious competitor.

    As ever the burden of proof would be the problem.

  7. Anonymous Coward
    Anonymous Coward

    "I'm a monkey, and I only have 7 toes - you insensetive clod!!"

    That explains the spelling mistake.

  8. This post has been deleted by its author

  9. Steven Hewittt

    Solution

    Um, just use a random image. E.G. a gif of a kettle, a frog, a lemon etc. Used on the A&L banking system as part of the logon process. Give the end user 3 options as to what it could be. If it's wrong a new image is created with new possible answers.

    Voila.

  10. Anonymous Coward
    Anonymous Coward

    Re: Solution

    "Um, just use a random image. E.G. a gif of a kettle, a frog, a lemon etc. Used on the A&L banking system as part of the logon process. Give the end user 3 options as to what it could be. If it's wrong a new image is created with new possible answers."

    so, 33% of bots get through on first attempt, 33% of the remainder get through on second attempt, etc...

    good on principle (the .gif), but you'd have to have an open text input and ignore capitalization, not offer a multiple choice.

  11. James Cleveland

    Re: Re: That explains the spelling mistake.

    I don't think so, it has merely become more pernickety.

  12. Alan Donaly

    how do you defeat captcha

    It seems as if captcha has a hole if silly random questions

    solves the problem and plain random ones do not.What I am

    getting at is that captcha the idea still works but there is a perfectly

    normal exploit going on to defeat it and that needs patching. I can

    think of a few proto holes that might exist right off the bat but

    I don't develop for the program.

  13. Paul Stimpson

    Just wait for the Turk...

    The more exotic approaches only work because they're not common enough to warrant a spammer defeating them. If somebody comes up with a system that actually works and it gets widely used the spammers will get round it. If it's computationally not feasible to solve the problem the spammers could resort to a system similar to the Amazon "Mechanical Turk" and pay a group of poor people in another country to do it: Trojan sends captcha to server which displays it for some poor shmuck who gets $0.01 for every 10 he solves and the result is returned. If he's good he could well earn 1c every minute which is $6 a day (on a 10 hour day.) There are still many countries where $6 is a very good wage.

    I suppose such techniques could be made less effective by limiting the time the user has to solve the captcha but they we'd be discriminating even more against the disabled for whom they're difficult enough as it is. Streaming, animated, video captchas anyone?

  14. Blain Hamon

    Why pay a turk?

    I've heard of some porn sites advertising free images protected by a captcha. Thing is that the captcha is actually an image from some other site. So the dope enters it in, playing the unsuspecting turk.

    And if they really wanted to make it tough to thwart, their malware would turn the infected user into a turk. That is, suppose someone wants to sign up to yahoo, but their computer is infected. The malware can then pre-fetch a failed signup, so when the user does the captcha, the malware registers its spamaddress instead, and throws up a 'failed captcha' page. The user figures they misread an 8 for a B, and registers a second time, this time going through, none the wiser that two accounts were made.

    I'm not sure how to combat that level of trickery.

  15. Anonymous Coward
    Anonymous Coward

    Discuss

    "Lately, I have seen a great many flamewarriors correcting each others' spelling/grammar/punctuation, etc.

    Question: Has this resulted in a more urbane and erudite flame culture?

    Discuss."

    In the UseNET days typos were generally ignored because it was usually the result of clumsy fingers. These days however more and more people are demonstrating blatant lack of skill in both spelling and grammar. These are not second-language english speakers we're talking about - its often people who have no exuse.

This topic is closed for new posts.