Microsoft's CAPTCHA Takes Another Blow as Hackers Look to Abuse Hotmail

Hackers broke Microsoft Hotmail's CAPTCHA system once again, according to Websense. Spammers break CAPTCHA in order to abuse free Webmail services to send out spam.

Once again, hackers have had their way with a security test designed to distinguish between humans and machines.

This time it was Microsoft Live Hotmail's CAPTCHA that has fallen victim to hackers. CAPTCHA, which stands for Completely Automated Public Turing test to tell Computers and Humans Apart, is often used by Webmail services to prevent spammers from using bots to sign up for multiple accounts.

Microsoft has reworked its CAPTCHA in the past to thwart cracking attempts by hackers, but as research from Websense shows, these latest efforts have still come up short.

In a detailed analysis, Websense researcher Sumeet Prasad noted that spammers have increased the sophistication of their anti-CAPTCHA efforts in the latest attack. While in the past anti-CAPTCHA operations used automation that utilized straightforward, command and control instructions from a template, the latest attack uses automation with encrypted communication between spammer bot servers and compromised machines, the researcher blogged.

"Spammers have adopted these tactics with a mindset to secure their operations from being exposed or detected," Prasad wrote.

According to Prasad, in this attack the CAPTCHA-breaking host or bot server injects encrypted instructions onto a compromised machine. The encrypted code includes templated sign-up instructions with the spammers' predefined credentials, such as a Windows Live ID, password, first name and so on, along with CAPTCHA-breaking instructions such as "image send and code receive."

The bot-infected client then decrypts and follows the instructions from the CAPTCHA-breaking host or bot server and connects to the Live Hotmail site to sign up for an account. The bot continues to the secured Live Hotmail signup page, where it attempts to fill in all predefined credentials. The compromised machine sends the CAPTCHA image request to the CAPTCHA-breaking host. The compromised machine receives the scrambled CAPTCHA code from the CAPTCHA-breaking host, descrambles it and completes the signup process.

The bot repeats this process over and over, potentially creating multiple accounts.

By circumventing CAPTCHA tests, spammers can more easily use free, Web-based e-mail services to send out their wares because the reputable domain being used is less likely to be blocked by a spam filter. The result for users is an in-box littered with unwanted messages. In an annual security report for 2008, Symantec's MessageLabs reported the amount of spam coming from Webmail accounts peaked at 25 percent of all spam in September 2008 and averaged about 12 percent for the rest of the year.

Earlier this year, officials at Microsoft told eWEEK they were investing in enhancements to their CAPTCHA system to make it both more readable for users and less susceptible to automated attacks. Some of the improvements include new image distortion logic, overlapping characters and dynamic monitoring to observe attacks in real-time in order to make the necessary adjustments.

"CAPTCHA-based authentication is used by various service providers to prevent automated software from performing actions that degrade their function and their quality of service, due either to abuse or resource expenditure," Prasad wrote. "Although continuous efforts are made by various service providers to combat the abuse of their services, the spammers, phishers, and malware authors carry out various attacks over these services, proving the abusive authors' adaptability, and creating an iterative cycle in the email and Web security arena."