How cyber crooks break CAPTCHAs

The per centage of spam containing shortened hyperlinks has increased significantly over the last year. As far as spammers are concerned, any tactic that makes it harder to block their spam emails is going to be exploited. These shortened hyperlinks contain reputable and legitimate domains, making it harder for traditional anti-spam filters to identify the messages as spam.

Paul Wood


Analysis in the latest MessageLabs Intelligence Report revealed that URL-shortened spam hit a one day peak of 18 per cent, or 23.4 billion spam emails, on April 30, 2010. This doubled last year’s peak level of 9.3 per cent of spam, or more than 10 billion spam emails, on July 28, 2009.

While botnets are often the source of short URL spam, 28 per cent of this type of spam originated from sources not linked to a known botnet, such as unidentified spam-sending botnets or non-botnet sources such as webmail accounts created using CAPTCHA-breaking tools.

For many years, CAPTCHAs have proven very useful for many reputable, Web-based email and application service providers, including social networking sites and online auction sites, for the purpose of deterring automated registration. Nevertheless, cyber criminals have not ceased trying to defeat CAPTCHA-based protection.  

Since 2008, cyber criminals have found ways to break CAPTCHAs either automatically or by manual labour. Breaking them has unlocked the business potential of the so-called shadow economy for many criminals who stand to make a lot of money from the free email accounts they’ve been able to harvest from popular account providers. Lust for CAPTCHA breaking stems from the desire to procure popular email or social networking accounts, which can be used to effectively distribute spam or malware. 

Breaking the rules
To break CAPTCHAs automatically, various methods have been used by either attacking CAPTCHA system design or implementation. Optical character recognition (OCR) technology, re-use of session ID and cracking MD5 of CAPTCHA solutions are the most common ones.

OCR technology has been widely used for book digitization, which typically includes pre-processing, image segmentation and character recognition. A strong segmentation resistance can result in poor recognition rate.

In 2008, CAPTCHA breakers used OCR technology to successfully recognize characters displayed on CAPTCHA images.  This requires CAPTCHA designers to introduce stronger segmentation resistance without making it too hard for human users, which makes CAPTCHA system design increasingly challenging.

Some CAPTCHA protection systems are poorly implemented in the sense that the session ID of a known CAPTCHA image is not destroyed after a successful submission. This allows CAPTCHA breakers to reuse the session ID to automate the registration process until the session ID expires. 

Another example of insecure implementation is to pass an MD5 hash of the CAPTCHA solution to the client side to validate the CAPTCHA entered. MD5 is a unique signature stream of the CAPTCHA solution which users have to enter to prove they are a real human being.

However, a typical CAPTCHA is quite short, meaning the solution MD5 hash is not particularly tough for a computer to break; cyber criminals can use brute force to try and guess the answer through pure number crunching. The benefits of automating CAPTCHA breaking is that criminals can create a bulk of email or social networking accounts in a very short period of time.

Alternatively, CAPTCHAs can be broken by hand. Criminals are putting their business out to tender on the web. Labourers then bid for the service by undercutting competitors. MessageLabs Intelligence has monitored situations where web users are offering to break CAPTCHAs to create 1,000 email accounts for as little as $2 – 3.

Often this labour is outsourced to other countries where work is less expensive. We commonly see bids for CAPTCHA breaking in India and Eastern European countries such as Russia and Poland. Other web users can often be encouraged to break CAPTCHAs through enticing images, such as a woman who appears to take off an item of clothing per CAPTCHA broken.

CAPTCHAs are also being broken by harnessing the power of botnets. A bot will download a CAPTCHA image then pass that image to another bot; the botnet will then ‘freeze’ compromised PCs within its control and display an instruction ordering users to break a CAPTCHA in order to unlock their computers.

The size of the shadow economy
Criminals are breaking CAPTCHAs to benefit from the murky shadow economy. Once fraudsters have a glut of valid email accounts, these can be used to send out spam emails or for other nefarious purposes such as ID fraud, which could result in great financial gain.

Online criminals could also sell their validated email accounts to other spammers to make a profit. With these addresses, criminals can also create social networking accounts on popular sites. In addition, legitimate email addresses are less likely to be stopped by AV scanners, which often do not stop incoming mails from webmail accounts.

MessageLabs Intelligence has monitored clever botnet owners using an army of email addresses to send out spam for a short period of time, before changing tack and emailing a different type of spam from those accounts, or using the email addresses for a different purpose. This chopping and changing helps criminals to bypass detection, and serve different clients using a variety of email addresses which they have created. 

Paul Wood is a senior analyst at MessageLabs Intelligence, Symantec Hosted Services

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Blogger Spotlight

Latest Blogs

ITB in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.