Researchers at AVG Technologies may have uncovered a scheme by attackers to circumvent the CAPTCHA protections on Facebook to create fraudulent accounts.
According to Roger Thompson, chief of research at AVG, the firm discovered a number of Facebook pages whose creation appears to have been automated by attackers. The bogus pages were being used to spam out links leading to sites pushing rogue antivirus.
“The rogues are being created by some central group…and then being re-sold via an affiliate model,” he said. “Once it’s installed…at a minimum, they get your credit card when you register the software.”
If attackers have indeed cracked the CAPTCHA on Facebook, it will hardly be the first such defense to fall. Black hats have made mincemeat of CAPTCHA technologies on Yahoo Mail and other Web mail services in the past. However, officials at Facebook aren’t sure that’s what happened.
“Based on our investigation and the relatively small number of accounts created, we’re almost certain that they were created manually, rather than by a bot,” Facebook spokesman Simon Axten said. “We think this actually validates the captchas we use, as well as the various other automated security systems we’ve implemented, which severely limited the scope of this attack and enabled us to get all evidence of it off the site before people were actually harmed.”
Thornton conceded it was possible the accounts were created manually, but he doubted it.
“They might be setting them up manually, but the numbers of accounts seem to be too high for that, and the accounts look automated,” he said. “There’s no extra data, for example. It’s the same each time, and only the name changes.”
Either way, Axten said Facebook is working to identify any fake accounts that have been created and disable them. In the meantime, Facebook users are advised to use caution when receiving unsolicited links or messages from people they don’t know.