Understanding How CAPTCHA Is Broken

An anonymous reader writes "Websense Security Labs explains the spammer Anti-CAPTCHA operations and mass-mailing strategies. Apparently spammers are using combination of different tactics — proper email accounts, visual social engineering, and fast-flux — representing a strategy, explains their resident CAPTCHA expert. It is evident that spammers are working towards defeating anti-spam filters with their tactics."

Re:Page design

[tepples]

Whose bright idea was it to use light grey text on a white background?

At least the page is easier to read than several common CAPTCHAs that shut out blind people. You could try changing the black level on your monitor, installing a custom style sheet, or just copying the text to a text editor.

Wrong title

[RiotingPacifist]

The article describes how the spammers are using their new found accounts, nothing to do with CAPTCHAs other than they had to (either automatically or manually) break them to get the accounts.

Im surprised they're not using them to break the spam filter of yahoo/hotmail/gmail though, I mean if they all started sending each other spam and marketing it as ham, wouldn't that pretty much break any feedback based system that their using to protect their users.

Sometimes It Comes as an Easy Fix

[morari]

A little less than one year ago I had put up a forum for my website; PHPBB (insert whatever the current version was). Anyway, all was fine for a few weeks until I noticed obvious spam accounts registering maybe once a day. Nothing ever came of them, no abusive posts or anything of that nature, but they were sitting there in my user list. I tried several common approaches, such as using a different CAPTCHA and also forcing a verification word to be typed in. Nothing worked. Eventually I noticed that the one commonality between all of the spam accounts was that they all chose Albanian as their language. Odd. I initially thought that perhaps the spammers were based in Albania, but quickly came to the conclusion that the bots were simply selecting the first available option in the language dropdown. I wrote up a script (which was painfully sloppy, I'm sure) that would not allow anyone to successfully register with the Albanian language. After filling everything out and hitting submit, it would take you to a page and say something to the extent of "Sorry, you have selected an unauthorized language. Please try again". I watched carefully as for weeks I didn't spot a single new spam account. Eventually I made a fake language to sit at the top of the list and block, just in case any actual Albanians wanted to use the board. It continued to work just fine. After several months I did get hit by one or two spam accounts that had set their language to English. After that, I wrote a similar script for the "personal website" field of the signup process, forcing legitimate users to add it to their profile after successfully registering. I haven't had any problems since.

This is more about subverting CAPTCHA

[paratiritis]

The article does not really talk about how the spammers defeat CAPTCHA, which would be more interesting to me. It focuses instead on how once they defeat the CAPTCHA test (manually or automatically) they take advantage of the added credibility their new accounts have (because of that very test) for their purposes.

This is the scam part, not the technology part of their operations, which would actually tell us about the possible weakenesses for the CAPTCHA tests and give hints how to fix them.

Re:Wrong title

[nbert]

"Understanding How CAPTCHA Is Broken" is catchier than "Anti-Captcha and spamming strategy well explained!", guess that's why this article was chosen. The article's summary itself shows that it's not mainly about CAPTCHAs, otherwise fast-flux wouldn't show up there.

Re:I guess I've gotten used to it

[Anonymous Coward]

Most people pay $.10 per message, incoming or outgoing.

Re:I guess I've gotten used to it

[PontifexPrimus]

Most Americans pay $.10 per message, incoming or outgoing.

There, fixed that for you. It's quite unheard of here in Germany.

Re:I guess I've gotten used to it

[LeRandy]

Sounds like bullshit to me.

a. No SMS has a subject line, it is a "Short Message Service" (max 160 chars)

b. How the hell does the network know whether you have opened the message or not -- either it has been sent to your phone, or it has not. Any other way, and people would be publishing "free-SMS" hacks for phones.

Re:Animated CAPTCHAs?

[mstahl]

But that captcha on e-gold would be trivial to break. Over the course of the animation all parts of all numbers are visible with no variation or noise around them. If they rotated, though, and were slightly larger than the image, it might just work. That would be such a pain in the ass for humans to read I don't think it would be used at all.

The most likely captcha technologies to win, I think, are the ones that require some amount of contextual knowledge about our world. Nobody's really created an anti-captcha bot that can distinguish a kitten from a tiger, for instance. Tests like these, even though they're also obnoxious to humans, are much more effective.

Re:I guess I've gotten used to it

[Phroggy]

Sure: it goes back to how telephone service developed in this country.

Originally, everyone had to pay to make a phone call, but it was free to receive a call. Local calls were less expensive than long-distance calls, but both charged by the minute. Decades ago, phone companies started offering a monthly flat rate for unlimited local calls, and it was so popular that it's all they offer now. Long distance calls are still a per-minute charge for the caller (free to the recipient), except for some newer companies like Vonage that include unlimited long distance calls.

Enter cellular phones. Early adopters (mostly businessmen) wanted the convenience of being able to take a telephone with them in their car, without the rest of the world necessarily needing to know anything about what technology they were using, or having to pay any extra fees. The owner of the cell phone pays per minute for both incoming and outgoing calls, because the only alternative would be to treat all cell phones as long-distance numbers (requiring a 1 dialed in front of the number, and adding a per-minute charge to the calller's bill). People wouldn't have wanted to do that. Remember, the vast majority of calls to cell phones were from land lines, not from other cell phones (because the vast majority of people didn't have cell phones yet).

So, the owner of the cell phone pays for the privilege of having a mobile phone, paying for both sending and receiving calls. Over time, calling between cell phones becomes increasingly popular, but if one person with a cell phone calls another person with a cell phone, BOTH people pay per minute for the call.

And if you're going to pay for sending and receiving phone calls, you're gonna pay for sending and receiving text messages.

Of course, the per-minute fees are exorbitant, so to soften the blow, companies start offering "free" minutes included with the monthly plan, along with a certain number of "free" text messages. The more money you pay per month, the more "free" minutes and text messages are included.

Enter the marketing department. In an attempt to differentiate themselves from the competition, somebody starts offering unlimited calls during non-peak hours (nights and weekends), and all their competitors jump on board. Then, as mobile-to-mobile calling becomes increasingly popular, companies start offering "free" mobile-to-mobile calls within their own network, to entice people to recommend that everyone they know sign up with the same company. But since most people don't even know how to use text messages (my first cell phone didn't support them), there's no marketing reason to offer free text messaging. It's much more profitable to charge $0.10 per message (after the first few hundred per month that are included with the plan).

We now have a new generation who has grown up with cell phones and is perfectly comfortable typing entire conversations on a keypad, abbreviating anywhere they can save keystrokes just as we did when chatting on computer bulletin boards and IRC in the late 80s and early 90s. Some people here remember the days before 300baud modems; abbreviating was essential.

As demand for text messaging increases among this new generation and improving technology reduces actual per-call and per-message costs, marketing departments will decide that they stand more to gain from offering unlimited calls and text messages (because they can advertise it to attract customers) in their standard monthly rate than then do from charging $0.10/message. They're already moving in this direction, offering unlimited calls and texts to/from a certain number of "favorite" people. Eventually we'll all have one flat monthly rate for unlimited usage, and the whole question of paying to receive calls and text messages will be irrelevant.

I was about to say it will be forgotten, but it has never occurred to most Americans that things could work differently in the rest of the world, so there's no question to forget.

Re:I guess I've gotten used to it

[Cardcaptor_RLH85]

Personally I remember that back on the 'original' AT&T Wireless (my first cellular provider) they offered free incoming text messages to all of their users. That deal unfortunately went by the way-side when Cingular bought the wireless department from the old AT&T unless you never wanted to get any more free phone upgrades. The Cingular SIM cards wouldn't work in old SIM-locked AT&T branded phones so, either you bought unlocked phones at retail or you had to change to a Cingular plan. It was a sad time for those of us in the US who didn't want to pay when someone sent us a text message against our will....