CAPTCHAs – breaking into the shadow economy
Posted on behalf of Jason Zhang, Senior Software Engineer, Symantec Hosted Services
For many years, CAPTCHAs have proven very useful for many reputable, Web-based email and application service providers, including social networking sites and online auction sites, for the purpose of deterring automated registration. Nevertheless, cyber criminals have not ceased trying to defeat CAPTCHA-based protection.
Since 2008, cyber criminals have found ways to break CAPTCHAs either automatically or by manual labour . Breaking them has unlocked the business potential of the so-called shadow economy for many criminals who stand to make a lot of money from the free email accounts they’ve been able to harvest from popular account providers through cracking the CAPTCHA system. Lust for CAPTCHA breaking stems from the desire to procure popular email or social networking accounts, which can be used to effectively distribute spam or malware.
MessageLabs Intelligence has noticed that the amount of spam sent out from webmail accounts has been changing. The figure below shows the spam trends over the last six months (the smooth curve is polynomial fitted) and the spam percentage on the y-axis is calculated based on the 120 billion spam emails Symantec blocks per day. At the beginning of November 2009, webmail-generated spam accounted for about 0.5% of the total blocked spam, then one month later it increased to 1%, followed by a steady drop over the rest of the measurement period with the exception of some spikes. The reason for the decline is due to the fact that major webmail service providers have increased the security of their CAPTCHA protection system since 2008, which makes CAPTCHA harder to be broken. But the race between CAPTCHA designers and breakers will never cease and we might see increasing spam from webmail accounts created through cracking CAPTCHA systems.
Breaking the rules
To break CAPTCHAs automatically, various methods have been used by either attacking CAPTCHA system design or implementation. Of which, optical character recognition (OCR) technology, re-use of session ID and cracking MD5 of CAPTCHA solutions are the most common ones. OCR technology has been widely used for book digitization, which typically includes pre-processing, image segmentation and character recognition. A strong segmentation resistance can result in poor recognition rate. In 2008, CAPTCHA breakers used OCR technology to successfully recognize characters displayed on CAPTCHA images. This requires CAPTCHA designers to introduce stronger segmentation resistance without making it too hard for human users, which makes CAPTCHA system design increasingly challenging.
Some CAPTCHA protection systems are poorly implemented in the sense that the session ID of a known CAPTCHA image is not destroyed after a successful submission. This allows CAPTCHA breakers to reuse the session ID to automate the registration process until the session ID expires. Another example of insecure implementation is to pass an MD5 hash of the CAPTCHA solution to the client side to validate the CAPTCHA entered. MD5 is a unique signature stream of the CAPTCHA solution which users have to enter to prove they are a real human being. However a typical CAPTCHA is quite short, meaning the solution MD5 hash is not particularly tough for a computer to break; cyber criminals can use brute force to try and guess the answer through pure number crunching. The benefits of automating CAPTCHA breaking is that criminals can create a bulk of email or social networking accounts in a very short period of time.
Alternatively, CAPTCHAs can be broken by hand. Criminals are putting their business out to tender on the web, labourers then bid for the service by undercutting competitors. MessageLabs Intelligence has monitored situations where web users are offering to break CAPTCHAs to create 1,000 email accounts for as little as $2 – 3. Often this labour is outsourced to other countries where work less expensive. We commonly see bids for CAPTCHA breaking in India and Eastern European countries such as Russia and Poland. Other web users can often be encouraged to break CAPTCHAs through enticing images, such as a woman who appears to take off an item of clothing per CAPTCHA broken.
CAPTCHAs are also being broken by harnessing the power of botnets. A bot will download a CAPTCHA image then pass that image to another bot; the botnet will then ‘freeze’ compromised PCs within its control and display an instruction ordering users to break a CAPTCHA in order to unlock their computers.
The size of the shadow economy
Criminals are breaking CAPTCHAs to benefit from the murky shadow economy. Once fraudsters have a glut of valid email accounts, these can be used to send out spam emails or for other nefarious purposes such as ID fraud, which could result in great financial gain. Online criminals could also sell their validated email accounts to other spammers to make a profit. With these addresses, criminals can also create social networking accounts on popular sites. In addition, legitimate email addresses are less likely to be stopped by AV scanners, which often do not stop incoming mails from webmail accounts. MessageLabs Intelligence has monitored clever botnet owners using an army of email addresses to send out spam for a short period of time, before changing tack and emailing a different type of spam from those accounts, or using the email addresses for a different purpose. This chopping and changing helps criminals to bypass detection, and serve different clients using a variety of email addresses which they have created.