Spammers defeat Captchas

According to security vendor BitDefender, spammers have defeated a system designed to differentiate humans from machines when registering new accounts online. Known as Captcha (Completely Automated Public Turing test to tell Computers and Humans Apart), the system won't allow users to advance until distorted characters in a box are correctly entered. BitDefender says a new threat, Trojan.Spammer.HotLan.A, is using more than 15,000 automatically generated bogus Microsoft Hotmail accounts to spread and is registering 500 new accounts per hour, suggesting the Captcha system has been defeated.

BitDefender says the Trojan horse accesses one of the free Web mail accounts from Microsoft or Yahoo, pulls encrypted content from a Web site, decrypts the message (usually spam for a pharmaceutical product), then sends the e-mails to presumably valid addresses obtained from another Web site. Exactly how the Trojan is able to create the bogus Web mail accounts is not documented.

[noname19]

no kidding

Catchpas were defeated a LONG time ago.

[sirctseb]

when?

when were captchas defeated?

[worsethannormal]

How 'bout no more character based Captchas

I've seen some interesting captchas ideas recently. One involved pictures of different species of animals and asked you to choose "the dog" (or any other animal). Maybe someone could write a pattern recognition to find this, but this would be very difficult. Another that I've seen actually asks you to pick the "Hot Girl." That one would be incredibly difficult to defeat.

[hackian]

Mechanical Turk and stolen card numbers?

Maybe they used something like Amazon Mechanical Turk web service and paid for it with stolen card numbers?

see www.amazonaws.com

[gfolkert]

This is "human" data input, not automated reading software.

After talking about this problem with others, I think its come down to the fact that 500 new accounts each hour is easily a "human" doable. That would be dumping a captcha in front of a single person and getting them to read and submit once every 7.2 seconds(on average).

After being in the address correction industry for a few years, and seeing the amount of work done by people reading computer illegible addresses and then inputting the proper info... captchas would be nothing. The average time per bad address correction is about 4 seconds. This means more info and response than the typical captcha has.

This is just a brute force way of making them happen.

[matale5]

Interesting link about captcha breaking here

http://sam.zoy.org/pwntcha/

Since the captcha breaker is not inteligent(according to the link) but just recognises certain types of captcha, I think it would help if they used random types of captcha on sites so there would be the added problem of figuring out which one it is.

[pjk0]

The way they are doing this is that they have a network of people, ie in Eastern Europe or Russia etc, who are forwarded copies of each captcha the account-creation-bot sees. The human-being deciphers the captcha, then sends it back through the network, which enters the information required.