Understanding How CAPTCHA Is Broken

An anonymous reader writes "Websense Security Labs explains the spammer Anti-CAPTCHA operations and mass-mailing strategies. Apparently spammers are using combination of different tactics — proper email accounts, visual social engineering, and fast-flux — representing a strategy, explains their resident CAPTCHA expert. It is evident that spammers are working towards defeating anti-spam filters with their tactics."

Really?

"It is evident that spammers are working towards defeating anti-spam filters with their tactics."
Sounds like news to me!

Re:Really?

Because people like me would never, ever use their service under those conditions?

A more practical approach - 3 grades of service

I'd prefer 2, or better yet, 3 grades of service:

* verified user, someone using a credit card or providing some other ID that, if faked, can be prosecuted criminally
* established regular user, a person with a reasonably long and regular history, say, at least 10 logins a month, at least 10 outbound messages a month, and at least 10 inbound messages a month, for 3 of the past 6 months, and a minimal history of complaints.
* other - anyone else

On outbound messages, include a tag that the recipient's mail provider can use as part of its trust-assessment.

The "minimal history of complaints" is a potential problem due to false allegations and joe-jobbing.

Lack of ID could be a problem for users from countries whose IDs are not deemed trustworthy. If I give Yahoo my Nigerian passport number....

Re:A more practical approach - 3 grades of service

* verified user, someone using a credit card or providing some other ID that, if faked, can be prosecuted criminally

This is a good idea, since spammers and other criminals don't have access to a large number of credit card numbers.

I guess I've gotten used to it

Normally when I get spam I just delete it, by using trashmail [mozilla.org] and being somewhat safe about my browsing habits I've found that I only get one or two per week. However recently I've been getting spam through SMS on my phone and that's what I find really infuriating. Granted it is technically just another email, but the fact that I'm paying for this service is what really grinds my gears.

Re:I guess I've gotten used to it

Most Americans pay $.10 per message, incoming or outgoing.

There, fixed that for you. It's quite unheard of here in Germany.

Re:I guess I've gotten used to it

Most Americans pay $.10 per message, incoming or outgoing.

There, fixed that for you. It's quite unheard of here in Germany.

Or in any country with a mature wireless industry for that matter.

Re:I guess I've gotten used to it

Sure: it goes back to how telephone service developed in this country.

Originally, everyone had to pay to make a phone call, but it was free to receive a call. Local calls were less expensive than long-distance calls, but both charged by the minute. Decades ago, phone companies started offering a monthly flat rate for unlimited local calls, and it was so popular that it's all they offer now. Long distance calls are still a per-minute charge for the caller (free to the recipient), except for some newer companies like Vonage that include unlimited long distance calls.

Enter cellular phones. Early adopters (mostly businessmen) wanted the convenience of being able to take a telephone with them in their car, without the rest of the world necessarily needing to know anything about what technology they were using, or having to pay any extra fees. The owner of the cell phone pays per minute for both incoming and outgoing calls, because the only alternative would be to treat all cell phones as long-distance numbers (requiring a 1 dialed in front of the number, and adding a per-minute charge to the calller's bill). People wouldn't have wanted to do that. Remember, the vast majority of calls to cell phones were from land lines, not from other cell phones (because the vast majority of people didn't have cell phones yet).

So, the owner of the cell phone pays for the privilege of having a mobile phone, paying for both sending and receiving calls. Over time, calling between cell phones becomes increasingly popular, but if one person with a cell phone calls another person with a cell phone, BOTH people pay per minute for the call.

And if you're going to pay for sending and receiving phone calls, you're gonna pay for sending and receiving text messages.

Of course, the per-minute fees are exorbitant, so to soften the blow, companies start offering "free" minutes included with the monthly plan, along with a certain number of "free" text messages. The more money you pay per month, the more "free" minutes and text messages are included.

Enter the marketing department. In an attempt to differentiate themselves from the competition, somebody starts offering unlimited calls during non-peak hours (nights and weekends), and all their competitors jump on board. Then, as mobile-to-mobile calling becomes increasingly popular, companies start offering "free" mobile-to-mobile calls within their own network, to entice people to recommend that everyone they know sign up with the same company. But since most people don't even know how to use text messages (my first cell phone didn't support them), there's no marketing reason to offer free text messaging. It's much more profitable to charge $0.10 per message (after the first few hundred per month that are included with the plan).

We now have a new generation who has grown up with cell phones and is perfectly comfortable typing entire conversations on a keypad, abbreviating anywhere they can save keystrokes just as we did when chatting on computer bulletin boards and IRC in the late 80s and early 90s. Some people here remember the days before 300baud modems; abbreviating was essential.

As demand for text messaging increases among this new generation and improving technology reduces actual per-call and per-message costs, marketing departments will decide that they stand more to gain from offering unlimited calls and text messages (because they can advertise it to attract customers) in their standard monthly rate than then do from charging $0.10/message. They're already moving in this direction, offering unlimited calls and texts to/from a certain number of "favorite" people. Eventually we'll all have one flat monthly rate for unlimited usage, and the whole question of paying to receive calls and text messages will be irrelevant.

I was about to say it will be forgotten, but it has never occurred to most Americans that things could work differently in the rest of the world, so there's no question to forget.

Wrong title

The article describes how the spammers are using their new found accounts, nothing to do with CAPTCHAs other than they had to (either automatically or manually) break them to get the accounts.

Im surprised they're not using them to break the spam filter of yahoo/hotmail/gmail though, I mean if they all started sending each other spam and marketing it as ham, wouldn't that pretty much break any feedback based system that their using to protect their users.

Re:Wrong title

"Understanding How CAPTCHA Is Broken" is catchier than "Anti-Captcha and spamming strategy well explained!", guess that's why this article was chosen. The article's summary itself shows that it's not mainly about CAPTCHAs, otherwise fast-flux wouldn't show up there.

Sometimes It Comes as an Easy Fix

A little less than one year ago I had put up a forum for my website; PHPBB (insert whatever the current version was). Anyway, all was fine for a few weeks until I noticed obvious spam accounts registering maybe once a day. Nothing ever came of them, no abusive posts or anything of that nature, but they were sitting there in my user list. I tried several common approaches, such as using a different CAPTCHA and also forcing a verification word to be typed in. Nothing worked. Eventually I noticed that the one commonality between all of the spam accounts was that they all chose Albanian as their language. Odd. I initially thought that perhaps the spammers were based in Albania, but quickly came to the conclusion that the bots were simply selecting the first available option in the language dropdown. I wrote up a script (which was painfully sloppy, I'm sure) that would not allow anyone to successfully register with the Albanian language. After filling everything out and hitting submit, it would take you to a page and say something to the extent of "Sorry, you have selected an unauthorized language. Please try again". I watched carefully as for weeks I didn't spot a single new spam account. Eventually I made a fake language to sit at the top of the list and block, just in case any actual Albanians wanted to use the board. It continued to work just fine. After several months I did get hit by one or two spam accounts that had set their language to English. After that, I wrote a similar script for the "personal website" field of the signup process, forcing legitimate users to add it to their profile after successfully registering. I haven't had any problems since.

This is more about subverting CAPTCHA

The article does not really talk about how the spammers defeat CAPTCHA, which would be more interesting to me. It focuses instead on how once they defeat the CAPTCHA test (manually or automatically) they take advantage of the added credibility their new accounts have (because of that very test) for their purposes.

This is the scam part, not the technology part of their operations, which would actually tell us about the possible weakenesses for the CAPTCHA tests and give hints how to fix them.

Animated CAPTCHAs?

Every time I see an article about CAPTCHAs being broken, I always think, "Why not try animated CAPTCHAs?" Surely something this simple has been thought of before and tried; is there any reason it wouldn't work? Or would it just have the same effectiveness as a static-image CAPTCHA, and so there's just no reason to put forth the effort to make one?

Re:Animated CAPTCHAs?

Animated captchas exist and are used but not too often. The only example I can think of is: https://www.e-gold.com/acct/login.html

Re:Animated CAPTCHAs?

But that captcha on e-gold would be trivial to break. Over the course of the animation all parts of all numbers are visible with no variation or noise around them. If they rotated, though, and were slightly larger than the image, it might just work. That would be such a pain in the ass for humans to read I don't think it would be used at all.

The most likely captcha technologies to win, I think, are the ones that require some amount of contextual knowledge about our world. Nobody's really created an anti-captcha bot that can distinguish a kitten from a tiger, for instance. Tests like these, even though they're also obnoxious to humans, are much more effective.

This article is an advertisement

This article links to what is basically an infomercial. What it links to is filled with pictures and seeming explanations, but it's written in scare-mongering language and not written with an eye towards the reader understanding it. It as an advertisement telling you that Websense is a fantastic company because they understand all this terribly scary stuff and already have the technology to defeat it for you.

Re:This article is an advertisement

This article links to what is basically an infomercial.

Quite correct. It does. There's also no news here whatsoever. It's good to know that it's not only readers that don't read TFA, the editors -- and even Taco -- don't always read it either.

Re:This article is an advertisement

It would be really nice if people would tag articles like this with 'slashvertisement'. :-)

This is getting silly.

Next time I'm just going to demand that anyone who wants to register for my site will have to send me a formal written request, signed and dated, with at least two good references and a registration history.

That should keep the bots out, right?

Why are we so helpless?

It ought to be obvious to everyone that spam is a property violation crime. Putting unrequested email in my account is the same as dumping used tires on my front lawn. Sure I have an address, but that doesn't mean I want just anyone to deliver anything to it without my permission. Why aren't we making this explicitly illegal, just like dumping and vandalism already are? Why are we putting up with these people?

Web page redirection may have to go

We're seeing the need for some limits on web page redirection. Most of these attacks involve putting something on a trusted place which redirects to an untrusted place. Google, with incredible sloppyness, allows Blogspot accounts to do this, and as a result, they are heavily exploited by spammers. (Try, for example, "nikaluti21040.blogspot.com", which will redirect, via some iframes and other tricks, to "selissia.com", which is hosted on "secureserver.net").

Exploitation of legitimate sites to get through spam filters is a problem, but it can be dealt with if you're willing to take a hard line. Our first step in that direction was our list of major domains being exploited by active phishing scams. [sitetruth.com] Our position is that one phishing attack from within a domain blacklists the whole domain. But within three hours after the problem is fixed, they're off the list. Major sites make the list now and then; Google, Dell, MSN, and Yahoo have all been on the list at one time or another. But they now know to take steps to get themselves off within hours. The Anti-Phishing Working Group and PhishTank have been helpful with this effort. We're down to 47 such domains today. It was about 175 when we started last fall. Most of the remaining entries are free web hosting services or DSL providers.

We and others have observed that there's an inverse relationship between the number of redirects and the legitimacy of a web page. We've been looking at this at SiteTruth [sitetruth.com]. For things like AdWords ads, where some sites use redirection as part of a tracking systems, it's typically the bottom-feeders who are using redirection. An advertiser promoting their own product or service doesn't need it; it's brokers, intermediaries, and made-for-Adwords sites that use redirection. Anything with more than one redirect is almost bad. We expect to use redirection as part of our legitimacy metric in the future.

It's thus time for browsers to limit their acceptance of redirection. One HTTP-level redirect, OK. Beyond that, put up a popup warning of suspicious redirection behavior. Redirects via META tags and Javascript should produce a popup. Sure, some site operators will look bad, but they will adapt.

Spammers trick - REuseable captcha

Find somewhere with 1000s of pageviews (eg. pr0n site)
Present Captcha image to 2 users (agreement = correct)

So the monkeys pull the right lever and get the reward
of viewing the next adult video, and the spammer gets
a near-realtime solution to even the best of captchas.

Re:Page design

Whose bright idea was it to use light grey text on a white background?

At least the page is easier to read than several common CAPTCHAs that shut out blind people. You could try changing the black level on your monitor, installing a custom style sheet, or just copying the text to a text editor.

Re:Page design

It's an anti-copying measure, of course! Way more effective than those useless Javascripted right-click blockers. When a person copies the text into Word, he won't be able to read it... and then he will be confused and give up!

Pure genius. Even cleverer than those blacked out PDFs...

Re:My spam rules--

Wow.... all of those rules, and you end your post with your email address.