Hackers Cracked Google's Blogger CAPTCHA

Following the recent reports that hackers managed to break into the Windows Live Hotmail CAPTCHA and to create email accounts for spamming purposes, another web-service gets compromised with the same goal. Google's Blogger, the free blogging platform which lets users create blogs and post messages from a web-based administration panel, is now being used by spammers to build page redirectors and websites hosting malicious files.

According to security company Websense, the entire process is done with the help of automated applications which do nothing more than to create lots of accounts using predefined settings. Although the CAPTCHA were especially implemented to prevent such cases, the attackers have developed advanced bots which bypass them and create Blogger accounts.

"Spammers have managed to create automated bots that are capable of not only signing up and creating Blogger accounts (using spammer account credentials), but also use these accounts as redirectors and doorway pages for advertising their products and services," Websense wrote in an entry published on its blog.

There are several reasons why spammers turned to Google's Blogger. First of all, the service is available for free for all the users so creating accounts shouldn't be too difficult. Moreover, the created accounts "can be used as redirectors or doorway pages to spammers' domain(s)," Websense explains. "These redirecting or doorway page accounts can be used in multiple mass-mailing campaigns for subsequent attacks."

As reported a few weeks ago, six seconds are enough for a spammer to bypass the Windows Live Hotmail CAPTCHA and to create a new spamming account. Although it has not been confirmed yet, breaking into the Blogger CAPTCHA shouldn't be too difficult and, because the spammers found this way to create spamming accounts, expect an avalanche of malicious websites based on Blogger anytime soon.