Network News

X My Profile
View More Activity

Web Fraud 2.0: Thwarting Anti-Spam Defenses

Spammers have made great strides this past year in defeating CAPTCHAs, the distorted text used as a security test to ensure a person and not a machine is behind a computer screen. But automated programs that spammers use to thwart CAPTCHAs still aren't nearly as successful as the practice of hiring thousands of people to do nothing but remotely solve the puzzles for clients.

captchamain.jpg

This is the business model behind anti-captcha.com, a subscription service that offers spammers a cheap way to solve CAPTCHAs, or "Completely Automated Public Turing test to tell Computers and Humans Apart." Google, Yahoo and other e-mail and Web service providers employ CAPTCHAs to stop spammers and other bad guys from using automated processes to create hundreds or thousands of fake accounts.

Those new accounts, of course, are not logged yet by anti-spam filters, so they give spammers a new platform to deliver their garbage. Also, Google's or Yahoo's domains are unlikely to be blacklisted by anti-spam groups.

The welcome page explains how the business works [my translation from Russian]:

We work with tens of thousands of people from all over the world who are ready to work for a small payment to convert text pictures sent by you. You give the CAPTCHAs to our server, which hands it to the workers. In a few seconds, our server will receive the converted CAPTCHA as text and relay it back to you. As a rule, this time does not exceed 20 seconds and [that's] quite fast enough for a successful registration everywhere there is CAPTCHA in use.

The site says it stands by its work, and will refund the cost of any failed or incomplete CAPTCHAs, although considering each solved CAPTCHA is worth a fraction of a penny that seems like a small consolation. From their "features" page:

  • The quality of recognition is between 90 percent and 95 percent.
  • We support 2-word CAPTCHAs
  • We support mixed upper and lowercase CAPTCHAs.

  • The volume which we can accept at any moment from new clients is between 500,000 to 1 million CAPTCHAs in day.
  • We automatically issue refunds for any CAPTCHAs which were solved in more than 60 seconds.

  • We automatically return money for solved CAPTCHAs that include incorrect text.

captchaprice.jpg

The main anti-captcha.com service is something of a fixed-price menu: They charge $1 for every 1,000 CAPTCHAs you send. But the site also features an à la carte menu, selling new and used Gmail and Yahoo Web mail accounts in bulk. Currently offered are packages for 1,000, 10,000 and even 100,000 accounts at a time. Anti-captcha.com is selling 1,000 new Gmail accounts for $8, 10,000 Gmail accounts for $64, and 50,000 pristine Gmail inboxes for $280. Some 100,000 used Yahoo! mail accounts can be had for $150 to $200.

By Brian Krebs  |  August 25, 2008; 7:00 AM ET
Categories:  Fraud , From the Bunker , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Web Fraud 2.0: Distributing Your Malware
Next: White House Imposes New Security Mandate for Federal Agencies

Comments

Thanks again, Brian!

Ugh - another Monday morning wake-up call...

...which proves my original theory:

"There is no gravity - it sucks!"

.

Posted by: J. Warren | August 25, 2008 9:22 AM | Report abuse

I like the idea (is it facebook?) where you click on cats (or dogs?).

But it still doesn't solve the problem of anti-captcha just using its 1,000s of people clicking on the cats & registering emails (to be sold later).

You could go down the path of: only one email per mobile phone account... but what if you don't have a mobile?

Captchas are designed to stop computer "bots" not cheap humans... So how do you stop a cheap human? Feed them? pay them?

Posted by: Computer Aid | August 25, 2008 10:03 AM | Report abuse

Interestingly enough, captchas on certain sites are now being used to solve problems in digitising older texts, as shown in a recent article in Science Now (http://tinyurl.com/5uwbwx). Let us hope that those who would destroy the usefulness of captchas in determining who's a human and who's a machine can be thwarted, so that these devices can continue to be used both to stop spammers and to digitise older texts....

Henri

Posted by: M Henri Day | August 25, 2008 10:52 AM | Report abuse

I work for a web application firewall vendor (Breach Security) and I am also involved with many web application security organizations (see my email signature below) so I get to see these types of attacks daily.

What you are describing here with CAPTCHA's and how the bad guys are responding is a big issue. The underlying vulnerability or deficiency within most of today's web applications is Insufficient Anti-Automation (http://www.webappsec.org/projects/threat/classes/insufficient_antiautomation.shtml). Most webapps don't have the ability to identify when an automated program is interacting with their site vs. a real human. CAPTCHAs are one way to do it however there are two other behavioral items to look at -

1) Client Access Speed
Web apps should be able to monitor the speed at which a client is moving and to take responsive actions if they exceed a threshold in a specified time period. You can do this based solely on an IP address however if you can factor in items that shouldn't change (such as a User-Agent string, etc...) you can pretty accurately identify individual clients.

2) Request Header Anomalies
This is when you can profile what normal browser request headers look like and how they should change while navigating a multi-step registration process. What we are seeing in the wild is that once a real SPAMMER nagivates the registration process, they then try to bypass the beginning steps and jump right to the end. The request headers are then missing cookie data, etc... that a normal client would have had if they had followed the expected steps.

Posted by: Ryan Barnett | August 25, 2008 11:48 AM | Report abuse

Brian: Super good article! My ISP uses CAPTCHAs and I have been wondering HOW/WHY I have been getting many garbage-spams from overseas delivered into my "inbox" instead of the "anti-spam viewing box"....now I know why. If you have not already done so, please follow-up with the US and UK, etc, internet spam control agencies so that they are aware of the content of your article. It's important to get the Russian internet-thugs behind this activity shut down and taken off of the internet, ASAP.

Posted by: Gerry Naugle | August 25, 2008 1:28 PM | Report abuse

Brian -

Excellent series of articles. Thanks very much.

Posted by: RK | August 25, 2008 2:39 PM | Report abuse

Visual image captchas are bad. They block out and discriminate against visually impaired users, punishing them as spammers.

Visual verification that requires you to enter characters in an image you see, or answer a question about what's in an image you see, blocks out anyone with a visual impairment.

Clicking to get a larger image displayed does nothing at all for people with severe vision impairments who cannot even read large print.

Audio captchas are becoming available on a growing number of sites, but even they aren't good enough. The deaf-blind use braille displays and cannot see a picture or hear a corresponding sound.

Captchas force the blind to surrendor what independence they once had on site registration and forms, reducing them to begging a sighted person or site admin for help in account creation, form submittal, group creation, anywhere there is a manditory visual verification code.

As if that wasn't bad enough, Many of these captcha-using sites add further insult to the visually impaired when they demand you to prove you are human by entering in a visual code. If you are blind and you cannot see an image, does that disqualify you as a member of the human race? According to captcha, yes!

This is not a tiny little inconvenience that occurs every once in a blue moon, but an ongoing, day to day problem. Trying to register, make comments, create groups, or fill out any form to completion is a crapshoot if you are visually impaired. If you are on your own, trying to make a submission on a site and you are pressed for time, you are completely out of hope when you run up against a captcha and there is no one you can get to help you.. Site administrators may or may not have time or the desire to help you.

When you find yourself running up against this cyber face-slapping half or more than half the time you try to make submissions to various sites, it is demoralizing. You are told again and again that you are not welcome, you are not human, forced to pester a site administrator or someone else for help with something you could do on your own before, and as far as the site administration goes, you do not exist and are not worth consideration.

It's infuriating and a threat to the dignity of people who are at the mercy of visual verification captchas.

In addition to blind users having the door shut in their faces at sites that use visual captchas, It is evident that spam problems still occur as much as ever on sites that use captchas, proving captcha to be a cure that's worse than the disease.

If a site administrator feels so strongly that they must employ a captcha, there is a newer, truly accessible variety that should be more effective. It prompts you with a question in text format and requires you to fill in the answer. the questions should not require a person to be able to see an image to answer.

Bad examples: Which number in the picture is red?" "Which animal in the picture above has four legs?" How is someone who can't read print and has to rely on a screenreader supposed to know that?

Good examples: "How many legs does a cat have?" "What's 2+2?" Math questions can be asked in a number of different ways to hault a bot and still be accessible to a user. "What's 6 divided by 2?" What's 5 added to 3?" Even "What color is an orange?" is still a good example, because everyone except the bots, sighted or not, knows the answer.

Anti-captcha sites that make you pay for having a captcha solved are stupid. isn't it already bad enough some people are inconvenienced by a vision disability, and now some anti-captcha site is trying to make a bundle off them as well? A true anti-captcha site won't resell emails and won't charge for the service of breaking captchas, but should require user registration and disable the service if any user is found using their service for the purpose of spamming. It is necessary to have a captcha breaking service for the visually impaired, not for spammers.

Posted by: Capri | August 25, 2008 3:23 PM | Report abuse

If you want made-in-USA CAPTCHA cracking tools, try searching Google for "craigslist auto posting tool". Google offers seven paid ads for spamming tools and CAPTCHA crackers. ("The worlds Best Selling Craigslist software. Works with new CAPTCHA!") Three of them (including one that advertises "Only Automated Solution for the new captcha. Nobody else is automated.") are available through Google Checkout. That's right, Google is collecting the money for CAPTCHA crackers.

Google has been advertising these tools for months, despite press coverage. Google's "don't be evil" refrain is wearing thin.

Posted by: John Nagle / SiteTruth.com | August 26, 2008 2:42 PM | Report abuse

A few years ago I used a Russian OCR product called "Fine Reader 3.0" to capture handwritten text and number from state tax forms to accelerate data entry. It was an order of magnitude BETTER than any other OCR I tried. It can only have improved since then and I'd wager that is what the Russian hackers are using. Very fast. Very accurate.

Posted by: GreyGeek | August 26, 2008 3:26 PM | Report abuse

Brian your articles are fantastic
but are a fantastic howto for a
newbie cyber criminal

Posted by: Denis Joseph Barrow | August 26, 2008 3:35 PM | Report abuse

Capri, you've totally missed the point. anti-captcha does not exist for the purpose of heping the blind or deaf deal with CAPTCHA. It exists for the sole purpose of helping spammers to defeat it for the purpose of obtaining Gmail/Yahoo/Hotmail accounts for spamming. Why would a business like that want an anti-spam policy?

Whether or not CAPTCHA could be done better for people who are deaf and/or blind is an issue worth talking about, but the point of this article isn't about that. It's about the anti-captcha spam-enabling service.

Posted by: JB | August 26, 2008 3:42 PM | Report abuse

Blue Security was the ONLY system that worked. It worked, and it was the only system that the spammers actually feared, because it didn't go after the spammer, it wiped out their clients and customers.

We need to see someone like Google take up the BlueSecurity Model and end the profit train. After all? No customers, no business.

-N0nYm0u$3 (Because I know better)

Posted by: N0nYm0u$3 | August 26, 2008 7:45 PM | Report abuse

Blue Security was the ONLY system that worked. It worked, and it was the only system that the spammers actually feared, because it didn't go after the spammer, it wiped out their clients and customers.

We need to see someone like Google take up the BlueSecurity Model and end the profit train. After all? No customers, no business.

-N0nYm0u$3 (Because I know better)

Posted by: N0nYm0u$3 | August 26, 2008 7:45 PM | Report abuse

captcha killer
solves captcha for free

Posted by: captcha killer | August 26, 2008 9:57 PM | Report abuse

My infected computer changes its ip address seemingly at random. I had a return from a website showing me my login ip address as
Logged IP Address: 209.249.222.2

I looked it up on Google and three Russian forums came up which Google translated as follows:

stupid flood have on certain IP, or UDP, or ICMP
209.249.222.2
216,218,240,206
85.106.1.81
195,248,160,184
88.83.203.198
who have faced?
how to behave (and the provider and client) in order to cap stuknuli not?
зы
the problem is not very local
http://forum.nag.ru/index.php?showtopic=32229

We yesterday and today faced with new malware.

Several hundred machines have become our clients do pingflud address 209.249.222.2
It is very unpleasant, I should say.

There have someone similar problem?

I ask why - if so many, this viral epidemic, and if it is only us, it is some local hackers staged.

Timur

For good everywhere where you have to cut 135-139, 445 ports. Number of epidemics drastically reduced.

11/12/2006 Virus attack
In connection with the activation of viruses temporarily blocked traffic until the following IP addresses
209.249.222.2
87.106.1.81
195,248,160,184
88.83.203.198
121.36.126.34
88,212,197,198
209.200.131.38
209.200.177.38

The following day, AlterGold, the site in question, collapsed under a DDoS attack.

Bewildered.

Malcolm

Posted by: Malcolm Patten | August 27, 2008 2:07 AM | Report abuse

One way to make CAPTCHA little more effective is to use SSL and to generate virtual random session unique keyboard right under it - could still be defeated by browser add-on, but is not as straightforward.

Posted by: George | August 27, 2008 1:23 PM | Report abuse

Well that explains all the spam postings on craigslist for most of the IT related jobs. They appear legit, but when you reply to them (to a gmail address) you immediately get an automated reply to go to a website to fill out an application. Bogus! They're just collecting your personal information and in some cases attempting to direct you to a malicious website.

Btw: if you're not sure about the validity of the ad, send an introductory e-mail but don't include your resume and limit your personal info in the body (only name and e-mail address). That way you're not giving them anymore of your personal info until you know it's legit.

From my experience if the ad has a gmail address, it's most likely bogus! Google (among others) need to address this!

It's almost to the point of making sites like craigslist and/or e-mail systems useless!

Posted by: TJ | August 28, 2008 12:40 PM | Report abuse

Capri,
I understand your frustration and how such visual security strategies limit your access. However, if the issue goes unchecked, everybody may have their access limited. CAPTCHA may be in an imperfect system that inconveniences some people, but it's better than the alternatives.

As an aside, I have a child with profound mental retardation. I am all for accessibility. However, I'm not interested in depriving the use of facilities to others just to accommodate my kid. Sure, the facilities operators should make a reasonable accommodation when possible. But I don't think that they should fling the gates wide open just to avoid inconveniencing a few. CAPTCHA will probably be an insurmountable problem for him without assistance. However, until a better security control is developed, I am all for keeping and improving CAPTCHA.

In short, if you have a disability, you should expect some inconveniences in life. We all suffer inconveniences because of our physical station in life, some moreso than others.

Posted by: JoStalin | August 29, 2008 1:11 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company