Bots create Microsoft Live Hotmail Accounts by breaking CAPTCHAs

Microsoft’s periodically revamped CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) has been broken, yet again in spite of it’s continued efforts towards protecting it. This is the latest in a series of ‘break-ins’ which started in early 2008 and has affected major service providers including Google & Yahoo. 


This latest incident shows that spammers are catching up on CAPTCHA systems as fast as developers create new image algorithms. A few months is what it takes today; and we all know how this figure will start to shrink, that too exponentially.


In this latest incident, the bot installs itself as a service on an infected host and runs Internet Explorer in the background for the entire duration of the break-in. The bot server initiates the break-in process by sending a set of instructions over an encrypted channel to the infected host. This includes pre-defined credentials for sign up and CAPTCHA breaking. The instructions include details of First Name, Second Name and other fields to be filled up as part of the sign-in process and the code for sending the CAPTCHA image to the bot server and filling in the CAPTCHA word on Hotmail once it is decoded by the bot server and sent back to the infected host.


A unique feature of the new hack is the use of encryption in the communication between the compromised host and the spammer bot server with a view to keeping a lid on it’s nefarious activities.


An analysis of the hack by Websense Security reveals a success rate of between 12% and 20%. This coupled with the fact that it takes only about 20 – 25 seconds to decode a CAPTCHA means that a single infected host could create an account in less than 3 minutes. A typical attack could involve a combination of multiple infected hosts and multiple bot servers and spammers will be able to create innumerable accounts.


Email service providers like Hotmail, Gmail, Yahoo etc. are deemed trusted by anti-spam services around the world and mail will not be rejected for having originated from these places as they are deemed to be sent from real users. So, anti-spam services indirectly place a certain degree of responsibility on such mail services.


What is also disarming is the huge number of websites which still continue to use simple CAPTCHA systems that employ random, non-distorted characters against simple backgrounds. Breaking of such systems is simple when viewed in the light of the Hotmail CAPTCHA bust. Moreover, tools to break CAPTCHA authetication systems are available in the public domain, having been released by crackers.


It is evident that innovative ideas in the CAPTCHA domain need to be evaluated and put into practice.


reCAPTCHA is one such idea that the Carnegie Mellon team which originally coined the term CAPTCHA, including Luis von Ahn are now involved in. reCAPTCHA is an authentication system that consists of a database of images which could not be converted into words by the OCR systems involved in the Google Books project and the Internet Archive  project.


The Carnegie Mellon team is also working on image based CAPTCHAs which require a user to identify an object and trace it’s outline in an image.


Penn State researchers are working on Imagination CAPTCHA based on the ALIPR (Automatic Linguistic Indexing of Pictures), an automated image-tagging and searching technology. There are also some who suggest the use of simple mathematical puzzles.
CAPTCHA bypass is an industry all by itself with sites like offering to break CAPTCHAs for a fee. Web site administrators should take care to ensure that they do not have a false sense of security by making use of simple CAPTCHAs which do not serve their purpose.


Web-site administrators may consider integrating reCAPTCHA in their websites. reCAPTCHA is available as a web service and also as plugins for many applications and programming languages. Web site administrators would do well to remember that there is no such thing as complete security and so always be on the lookout.

Comments are closed.