Spammers Break Microsoft's Revamped CAPTCHA

Researchers from web security vendor Websense have documented a new hotmail account creation attack, which is able to successfully solve the new CAPTCHA system redesigned by Microsoft at the end of 2008 in order to address previous abuse.

CAPTHCA stands for Completely Automated Public Turing test to tell Computers and Humans Apart and is employed by the vast majority of websites in one form or another, in order to block automated bots from posting spam or registering fake accounts. The Websense researchers attribute the spammers' insistence with breaking Microsoft's CAPTCHA verification again and again to their interest in profiting from the Redmond software giant's generally trusted reputation.

The new attack studied by the analysts also reveals previously unseen techniques such as encrypted communications between the CAPTCHA solving server and the automated bots in an attempt to avoid detection and reverse engineering from security researchers and the competition. It's obvious that the creators of this new CAPTCHA subversion process want to capitalize on it as much as they can before others pick it apart by employing the same tricks.

According to the analysis, the spam bot deployed on a compromised system makes use of Internet Explorer to launch the attacks, but does this hidden in the background, without giving away its presence. It gets its instructions to automate the account registration process in encrypted form from the control server.

The bot starts to execute the received instructions and is able to accept the SSL certificate for the secured registration link. After filling the form with predefined values specified in the encrypted instructions, it sends the CAPTCHA image back to the CAPTCHA solving server. The latter directs the encrypted solution back, and the bot is able to complete the account sign-up.

A single automated sign-up attempt can take from 20 to 25 seconds, and one in five to eight attempts is successful. This means that a new account can be created in one to two minutes. The Websense analysts note that the fake accounts are then used to launch spam campaigns not only via Hotmail, but also through other Microsoft-popular services such as Live Messenger or Live Spaces.

“Although continuous efforts are made by various service providers to combat the abuse of their services, the spammers, phishers, and malware authors carry out various attacks over these services, proving the abusive authors' adaptability, and creating an iterative cycle in the email and Web security arena,” Sumeet Prasad, security researcher at Websense, concludes.