Hackers broke Microsoft Hotmail's CAPTCHA system once again, according to Websense. Spammers break CAPTCHA in order to abuse free Webmail services to send out spam.
Once again, hackers have had their way with a security test designed to
distinguish between humans and machines.
This time it was Microsoft Live Hotmail's CAPTCHA that has fallen
victim to hackers. CAPTCHA, which stands for Completely Automated Public Turing
test to tell Computers and Humans Apart, is often used by Webmail
services to prevent
spammers from using bots to sign up for multiple accounts.
Microsoft has reworked its CAPTCHA in the past to thwart cracking
attempts by hackers, but as research from Websense shows, these
latest efforts have still come up short.
, Websense researcher Sumeet Prasad noted that spammers
have increased the sophistication of their anti-CAPTCHA efforts in the latest
attack. While in the past anti-CAPTCHA operations used automation that
utilized straightforward, command and control instructions from a template, the
latest attack uses automation with encrypted communication between spammer bot
servers and compromised machines, the researcher blogged.
"Spammers have adopted these tactics with a mindset to secure their operations
from being exposed or detected," Prasad wrote.
According to Prasad, in this attack the CAPTCHA-breaking host or bot server
injects encrypted instructions onto a compromised machine. The encrypted code
includes templated sign-up instructions with the spammers' predefined
credentials, such as a Windows Live ID, password, first name and so on, along
with CAPTCHA-breaking instructions such as "image send and code receive."
The bot-infected client then decrypts and follows the instructions from the
CAPTCHA-breaking host or bot server and connects to the Live Hotmail site to
sign up for an account. The bot continues to the secured Live Hotmail signup
page, where it attempts to fill in all predefined credentials. The compromised
machine sends the CAPTCHA image request to the CAPTCHA-breaking host. The
compromised machine receives the scrambled CAPTCHA code from the
CAPTCHA-breaking host, descrambles it and completes the signup process.
The bot repeats this process over and over, potentially creating multiple
By circumventing CAPTCHA tests, spammers can more easily use free, Web-based
e-mail services to send out their wares because the reputable domain being used
is less likely to be blocked by a spam filter. The result for users is an in-box
littered with unwanted messages. In an annual security report for 2008,
Symantec's MessageLabs reported the amount of spam coming from Webmail accounts
peaked at 25 percent of all spam in September 2008 and averaged about 12
percent for the rest of the year.
Earlier this year, officials at Microsoft told eWEEK they were investing in
enhancements to their CAPTCHA system to make it both more readable for users
and less susceptible to automated attacks. Some of the improvements include new
image distortion logic, overlapping characters and dynamic monitoring to
observe attacks in real-time in order to make the necessary adjustments.
"CAPTCHA-based authentication is used by various service providers to
prevent automated software from performing actions that degrade their function
and their quality of service, due either to abuse or resource expenditure,"
Prasad wrote. "Although continuous efforts are made by various service
providers to combat the abuse of their services, the spammers, phishers, and
malware authors carry out various attacks over these services, proving the
abusive authors' adaptability, and creating an iterative cycle in the email and
Web security arena."