Slashdot Mirror
Fallout From the Fall of CAPTCHAs
An anonymous reader recommends Computerworld's look at the rise and fall of CAPTCHAs, and at some of the ways bad guys are leveraging broken CAPTCHAs to ply their evil trade. "CAPTCHA used to be an easy and useful way for Web administrators to authenticate users. Now it's an easy and useful way for malware authors and spammers to do their dirty work. By January 2008, Yahoo Mail's CAPTCHA had been cracked. Gmail was ripped open soon thereafter. Hotmail's top got popped in April. And then things got bad. There are now programs available online (no, we will not tell you where) that automate CAPTCHA attacks. You don't need to have any cracking skills. All you need is a desire to spread spam, make anonymous online attacks against your enemies, propagate malware or, in general, be an online jerk. And it's not just free e-mail sites that can be made to suffer..."
It automates the attack by repeating the known method of defeating the CAPTCHA (say, by grayscaling the image, adjusting the brightness thresholds then reading from the font; I don't know the actual method, that's just a guess). It's not that you point it at a website and it'll discover the method to defeat the CAPTCHA on its own, it's just repeating a method an actual person developed. That's how I read it, anyway.
While that's a class of problem that's tricky (though not impossible) to address, giving you the choice of a few different animals it might be is insufficient. Even if there are 10 choices, random guessing will be right 10% of the time, and that's enough for spammers. Subjective answers (showing a picture of a dog and having someone type "dog") are tricky because not everyone will type "dog", and you don't want to reject humans.
The current design fits the requirements well because the answer is distinctly objective (you're entering exactly the letters you see), but the number of possible answers is enormous, so learning the answers or hoping to guess well is unreasonable.
a combo if requiring an account, and having to wait at least 30 seconds before writing a reply, plus moderation. However, the firehose is littered with spam ads...
from 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
to 45 2F 6E 40 3C DF 10 71 4E 41 DF AA 25 7D 31 3F
Much of this is finding a way to brute-force the methods used on particular sites, overwhelming randomness, etc. It's not really a computer reading any difficult text.
You may be able to pay humans to solve them for you, but you can't pay humans to solve them for you at the same quantity. Human beings are slow and require extensive resources.
It makes a big difference when you're talking about creating a crime syndicate with thousands of employees vs. one lonely script kiddie. The former solution doesn't scale very well, and has a much higher barrier to entry. Even if you don't stop spam you are certainly cutting back on the quantity.
If they can break the captcha, that's a bit less helpful, because whoever did it can sell the solution. However, it's still better than if setting up an automated agent for spamming your site is nothing more than a scant few hours of work to anyone who can program. And the quicker you can change your captcha the less profitable/useful it becomes to crack it.
It's not about being utterly victorious. That would involve tracking down spammers and hiring hitmen to take them out. What it is about is harms mitigation, and captchas will still do that even after being broken.
Or there just needs to be a very large database of possibilities. Microsoft's Asirra is one of these with a finite number of items, but due to the nature and number of the items, a computer will have a difficult time breaking it.
Online Starcraft RPG? At
Dietary fiber is like asynchronous IO-- Non-blocking!
Fun fact, by replying to all his posts to call him an idiot you drastically increase his exposure. Ever hear of "don't feed the trolls"?
Prove that a 3-manifold space has the additional property that each loop in the space can be continuously tightened to a point then it is just a three-dimensional sphere.
ummm... I like Stacie!
The spammers have a new solution to CAPTCHAs in place - offshore outsourcing. This has become a sizable operation. System status earlier today:
Current Status: Volumes are exceedingly high. -- Automatically dispatching more labor
Queued Captchas: 91
Total outsourced volume: 4564301
This service is integrated with Craigslist auto posting tools, allowing high-speed spamming of Craigslist. It's also used for other services, like obtaining GMail accounts.
Even Craigslist's callback-by-phone system is starting to crack. Temporary phone numbers for Craiglist verification, provided by marginal telephony providers, have dropped to $1.50 in bulk.
The overall effect of Craigslist's new protections is that the cost of spamming has gone up, enough to slow down the low-rent operators but not by enough to stop it.
As I've pointed out previously, Google plays a central role in this. Google's services provide a facade of anonymity for scammers to hide behind. GMail for anonymous mail, YouTube for anonymous infomercials, AdWords for anonymous advertising, Checkout for anonymous money transfer, and Blogger/Blogspot for anonymous redirectors to zombie machines are all valuable services for scammers and spammers. All those services are used heavily by Craigslist spammers.
Others have provided some of the same services, but the competing services had bad reputations. Anybody trying to do business via Hotmail just had to be phony. Many mail agents just block all Hotmail mail. Anyone running a business off of "freewebpage.org" probably wasn't someone you'd want to deal with. So you had some strong indications of lack of legitimacy there.
Google, though, still has a good reputation. The combination of Google's reputation and low customer standards offers a great opportunity for scammers, and they're taking it.
I'm pretty sure that identification of an object or animal would be much harder than letters.
Don't be so sure!
cat
dog
Most of these attacks come from zombies, and I don't think anyone wants to block potential customers.
Though if they did, maybe people would start paying attention to computer security.
Liberte, Egalite, Fraternite (TM)
For all of naive assessment that it's a piece of cake, the challenge is daunting.
Humans may not be as fast as robots, but they can be surprisingly cheap. There's enough of the world where $1/hour* is an attractive wage that speak some English, and if the people there can solve a CAPTCHA in 9 seconds, that's at the $0.0025 price level that Nick was referring to. (Hi, Nick!)
If you're a scammer and there's a website that you want to crack, but it's not big enough to pay somebody to develop an algorithm for (either because the CAPTCHA's too hard or changes too often etc.), you can find some corrupt Nigerian generals' orphaned children who'll do it, or some Chinese guys who are tired of beating up monsters to get gold pieces or magic swords.
I don't know the going price of zombies or mail relay accounts, and it's probably dropping at faster than Moore's Law, but some sites are probably worth attacking.
* "Make good money $5 a day... Made any more I might move away..."
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
NOW V1AG-RA 100'S 4U click here (*) !