Microsoft's CAPTCHA System Breached, Yet Again

by Abhinna Shreshtha    Feb 18, 2009

Spammers have once again ramped up the siege on Microsoft’s Live Hotmail services, by busting Microsoft’s latest, redesigned CAPTCHA system.

Near the end of 2008, Microsoft reworked its CAPTCHA authentication, attempting to prevent further automatic registrations by computer programs and automated bots, and preserve CAPTCHA’s usability and reliability. As the latest attack shows, those efforts have failed.

The spammers’ attack strategy includes registering email accounts using anti-CAPTCHA operations; sending mass emails over the Internet; infecting thousands of user machines; and stealing information. Security service provider - Websense, said spammers have developed a business model that focuses on advertising products and services. Spammers have also been using these accounts for random attacks over significant Live services integrated with Live Hotmail, such as Live Messenger (instant messaging), Live Spaces (online storage), etc.

This is not the first time that Microsoft’s CAPTCHA system has been attacked. Every time Microsoft implements CAPTCHA changes to combat abuse of their services, the spammers adapt to those changes.

What is CAPTCHA?

CAPTCHA stands for ‘Completely Automated Public Turing test to tell Computers and Humans Apart’. Simply put, a CAPTCHA is a program that differentiates humans from computers. It does this by asking a challenge-response question. The reasoning behind this is that computers will not be able to read the test, so any user entering the correct answer is presumed to be human.

A CAPTCHA on the poular social networking site -- Facebook

(An example of a CAPTCHA on the popular networking site — Facebook)

CAPTCHA-based authentication is used by various service providers (web-mail clients, blogs, wikis, online forums, etc.) to prevent automated software from performing actions that degrade their function and their quality of service, due either to abuse or resource expenditure.

Differences in the latest attack

* Unlike previous anti-CAPTCHA attacks, the latest attack consists of encrypted communication between spammer bot servers and infected clients or compromised machines. Spammers have adopted these tactics with a mindset to secure their operations from being exposed or detected.

* One out of every 5 to 8 attempts to break a CAPTCHA successfully signs up for a Live Hotmail account (a success rate between 12% and 20%)

* In the current attack, the response time of the CAPTCHA-breaking host after grabbing a CAPTCHA image from a victim’s machine, analyzing it, and responding back to the victim’s machine with corresponding CAPTCHA code, ranges from approximately 20 to 25 seconds.

What the experts say

According to Websense, although continuous efforts are made by various service providers to combat the abuse of their services, the spammers, phishers, and malware authors carry out various attacks over these services, proving the abusive authors’ adaptability, and creating an iterative cycle in the email and Web security arena.

Nor is Microsoft Live Hotmail the only email provider to be affected. Speaking exclusively to CXOtoday, Carl Leonard, threat research manager of Websense Security Labs said multiple free web based email providers are being targeted this way. These include the biggies — Gmail, Yahoo! mail, and Microsoft (Live and Hotmail).

A plausible enterprise application of CAPTCHA is seen stopping spam emails, but the ease with which web clients’ CAPTCHA systems are being breached is a worrying fact. Captcha can be, and has been used, to prevent the automation of account creation - but evolutions of Captcha are continually being attacked until broken.

 "Captcha could evolve but there is a balance to be found between maintaining usability and preventing abuse. There exist many different suggestions on the subject of how Captcha could evolve including using graphical images or reCaptcha," said Leonard.

"As we’ve seen from previous patterns, spammers just attack whatever system is in place. They are financially motivated to get hold of details, and will increase the sophistication of attacks, in a persistent cycle," he added.

Related Links:

Tackling Converging Threats in the Cloud
Watch Out for the Rs. 500 SMS!
91.6% Emails that Reach You are Malicious
Obama Website Spreads Belief, Hope, and TROJANS
Spammers Target Obama: Say He Has Quit Presidency