Fallout From the Fall of CAPTCHAs

An anonymous reader recommends Computerworld's look at the rise and fall of CAPTCHAs, and at some of the ways bad guys are leveraging broken CAPTCHAs to ply their evil trade. "CAPTCHA used to be an easy and useful way for Web administrators to authenticate users. Now it's an easy and useful way for malware authors and spammers to do their dirty work. By January 2008, Yahoo Mail's CAPTCHA had been cracked. Gmail was ripped open soon thereafter. Hotmail's top got popped in April. And then things got bad. There are now programs available online (no, we will not tell you where) that automate CAPTCHA attacks. You don't need to have any cracking skills. All you need is a desire to spread spam, make anonymous online attacks against your enemies, propagate malware or, in general, be an online jerk. And it's not just free e-mail sites that can be made to suffer..."

Re:A dumb question:

[EkriirkE]

a combo if requiring an account, and having to wait at least 30 seconds before writing a reply, plus moderation. However, the firehose is littered with spam ads...

Re:or Windows Specific.

[D'Sphitz]

Fun fact, by replying to all his posts to call him an idiot you drastically increase his exposure. Ever hear of "don't feed the trolls"?

Offshoring CAPTCHA solving

[Animats]

The spammers have a new solution to CAPTCHAs in place - offshore outsourcing. This has become a sizable operation. System status earlier today:

Current Status: Volumes are exceedingly high. -- Automatically dispatching more labor
Queued Captchas: 91
Total outsourced volume: 4564301

This service is integrated with Craigslist auto posting tools, allowing high-speed spamming of Craigslist. It's also used for other services, like obtaining GMail accounts.

Even Craigslist's callback-by-phone system is starting to crack. Temporary phone numbers for Craiglist verification, provided by marginal telephony providers, have dropped to $1.50 in bulk.

The overall effect of Craigslist's new protections is that the cost of spamming has gone up, enough to slow down the low-rent operators but not by enough to stop it.

As I've pointed out previously, Google plays a central role in this. Google's services provide a facade of anonymity for scammers to hide behind. GMail for anonymous mail, YouTube for anonymous infomercials, AdWords for anonymous advertising, Checkout for anonymous money transfer, and Blogger/Blogspot for anonymous redirectors to zombie machines are all valuable services for scammers and spammers. All those services are used heavily by Craigslist spammers.

Others have provided some of the same services, but the competing services had bad reputations. Anybody trying to do business via Hotmail just had to be phony. Many mail agents just block all Hotmail mail. Anyone running a business off of "freewebpage.org" probably wasn't someone you'd want to deal with. So you had some strong indications of lack of legitimacy there.

Google, though, still has a good reputation. The combination of Google's reputation and low customer standards offers a great opportunity for scammers, and they're taking it.

Gold Farming as CAPTCHA equivalent

[billstewart]

Humans may not be as fast as robots, but they can be surprisingly cheap. There's enough of the world where $1/hour* is an attractive wage that speak some English, and if the people there can solve a CAPTCHA in 9 seconds, that's at the $0.0025 price level that Nick was referring to. (Hi, Nick!)

If you're a scammer and there's a website that you want to crack, but it's not big enough to pay somebody to develop an algorithm for (either because the CAPTCHA's too hard or changes too often etc.), you can find some corrupt Nigerian generals' orphaned children who'll do it, or some Chinese guys who are tired of beating up monsters to get gold pieces or magic swords.

I don't know the going price of zombies or mail relay accounts, and it's probably dropping at faster than Moore's Law, but some sites are probably worth attacking.

* "Make good money $5 a day... Made any more I might move away..."