Fallout From the Fall of CAPTCHAs

An anonymous reader recommends Computerworld's look at the rise and fall of CAPTCHAs, and at some of the ways bad guys are leveraging broken CAPTCHAs to ply their evil trade. "CAPTCHA used to be an easy and useful way for Web administrators to authenticate users. Now it's an easy and useful way for malware authors and spammers to do their dirty work. By January 2008, Yahoo Mail's CAPTCHA had been cracked. Gmail was ripped open soon thereafter. Hotmail's top got popped in April. And then things got bad. There are now programs available online (no, we will not tell you where) that automate CAPTCHA attacks. You don't need to have any cracking skills. All you need is a desire to spread spam, make anonymous online attacks against your enemies, propagate malware or, in general, be an online jerk. And it's not just free e-mail sites that can be made to suffer..."

Cracaked CAPTHAs!!! oh no!

[xpuppykickerx]

I hate the fact that a computer can view these things better than I can. Lately, a lot of the CAPTCHAs have become unreadable by human viewers.

Anyone usinging specialised tests?

[niceone]

Heh, at the end of the article they have a link to a site that requires you to solve a calculus problem to register (it gets easier if you reload the page a few times, down to simple arithmetic). I have a site that is only of interest to people who use verilog (a hardware design language) I've toyed with requiring a some digital logic problem to be solved, but the volume of spam signups it's big enough for me to be bothered yet...

Of course this solution isn't going to work for gmail - which seems to be the preferred email provider for the spam signups I do get these days.

Re:And they share better.

[statusbar]

The best way I've seen that captcha's got broken are by "free porn sites". The web site is what is cracking another captcha. When it gets a captcha to solve, it passes it to one if it's "porn viewers" - "please type the word that this captcha says in order to prove you are old enough to view the porn". Then the porn is displayed and the bot running on the website has a potential solution made by a human to do it's botting with.

This method will suffice to crack ANY CAPTCHA!

--jeffk++

Re:And they share better.

[encoderer]

Absolutely correct.

I run a mid-sized web development shop. A few years ago we were doing mostly retail sites. Vanilla and boring but we worked it down to a science and had some really great "modules" that made these sites super profitable for us. Of course, everything has its seedy side and with retail it was SEO.

Everybody wanted it. About 80% of our customers were of the "Do whatever, just ideminfy me" stripe. (And these are established companies paying high 5-figures for these sites). We drew our own demarcation about what we would and wouldn't do. (Excessive Internal-link structure is OK, zombie sites are not).

Now most our work is social networking.

We, too, followed the "rise" of CAPTCHA and we've been happy with our results. We always used a custom CAP for each site, and we tried to keep them relatively readable, being of the belief that making it too hard will only keep out Humans: If somebody wants to crack it, they will.

We still use them regularly. I noticed that about a year ago we actually had people begin to request them specifically. (Isn't that what Buffett said about the home mortgage mess? When the regular joe's started flipping houses, he knew it was over?)

Anyhoo, I think the real fault in CAP's is that they worked too well. They became too big of a target. Now, we try to mix and match a number of different techniques to identify humans.

Solutions range from dirt-simple: An input box named, say, "City" that has a label that reads "13 plus 8 equals:" or "What is the 3rd word on this page?"

To the more complex "what is the color of the front-door in this picture?"

We have a simple library we use for these things that pulls the questions (and, if applicable, the pics) from a Database of about 25,000 different turing tests.

The thing is, none of them are too complex. Any mediocre programmer could write an application to crack it. But your bot will probably never see that same exact question again, so it becomes irrelevant.

And, to tie it in to the parent, we chose this technique precicely because of what we learned from CAPs. Before there were software hacks, there was the "porn hack" and the "sweatshop labor hack."

In this case, when a bot the site, it's fairly difficult for it to even detect which item is the turing test. We auto-generate the location and even the name of the form field so it's always a bit different.

SEOs - Lying to Robots so Robots Lie to Humans

[billstewart]

Search Engines help humans find web pages that the humans might find interesting, and they do this by having robots spider the web looking for patterns. Search Engine Optimizers try to get humans to read their customers' web pages in three ways:

• Making it easy for the robots to find the content. Google's how-to page tells you pretty much everything you need to know, and it's not hard, but I guess there are companies who want to hire somebody to clean up their web page structure for them instead of doing the work themselves, or to tell their graphic designers to stop using complex Flash-based mouseover gesture interactions instead of simpler links and good indexing. Usually people who do that call themselves "consultants" or "web designers" instead of "SEOs", but not always.
• Helping their customers write more interesting web pages instead of boring ones. Usually people who do that call themselves "editors" or "content consultants" or whatever instead of "SEOs", but not always.
• Lying to the search engines' robots so that the customers' uninteresting-to-humans web pages match patterns that the robots identify as "interesting", so the robots will lie to humans about the interestingness of those pages. Sometimes this includes building link farms or generating vast reams of uninteresting content with popular keywords and ad banners or kiting millions of domain names. Usually people who do this call themselves "SEOs" or "Search Engine Optimization Consultants" instead of "lying scum polluting the Internet". But sometimes they pretend to be something else, like "Advertising specialists" or whatever.