Captcha is old news...

December 2009

Criminals outwit Captcha Web site security systems. According to research by Symantec and MessageLabs, criminals have developed software capable of decoding the hidden text in Captcha pictures, which are meant to distinguish genuine customers from automated software. The groups are using the technology to create thousands of accounts on legitimate webmail sites and social networking sites, which they can use to launch spam and phishing attacks against web users, says a senior analyst at Symantec. “If you have a large number of legitimate accounts on a site, you can benefit from the legitimate domains. It becomes very difficult for anti-spam technology to identify messages from those domains as spam. It is hard to block, because you risk blocking legitimate users,” he says. The practice is putting businesses at risk, which can be on the receiving end of credible looking e-mails containing links to malware. “Social networking and micro-blogging sites are coming under a lot of pressure from the bad guys. They are creating legitimate profiles and even phishing for accounts of real people,” he says. “There are inherent risks for organizations that do not have controls in place.” In some cases, cybercriminals are using image recognition software to decode the disguised words in Captcha pictures. Others groups have developed software that is capable of decoding the audio version of Captcha intended for people who have difficulty reading Web sites, by analyzing the waveforms to recognize the letters of each code word. Specialist companies have also sprung up, which hire people to create accounts on Web applications, paying them $2 or $3 per thousand. They sell the accounts on to criminal groups for between $30 and $40 a thousand, said the analyst.