February 18, 2009, 4:36 PM — Spammers have cracked Microsoft Corp.'s latest defense against abuse of its Live Hotmail e-mail service using a sophisticated network of hacked computers that receive encrypted instructions from a central server, a security company has reported.
The botnet, or collection of compromised PCs, can decipher Live Hotmail's CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) registration safeguard in about 20 seconds, said Websense Inc. security researcher Sumeet Prasad.
CAPTCHA is the term for the distorted characters that many Web sites, such as e-mail services and blogs, use to prevent spammers and cyber criminals from creating massive numbers of new accounts. Those accounts are used to send junk mail or messages that try to dupe people into visiting malicious sites, and are valuable because spam filters rarely block the "hotmail.com" domain address.
Last fall, Microsoft revamped the CAPTCHA protection for Live Hotmail after earlier versions had been busted by hackers. Its newest defense has now fallen to a similar attack, said Prasad. "Every time Microsoft implements CAPTCHA changes to combat abuse of their services, the spammers adapt to those changes," Prasad said in an entry to the Websense security labs blog .
Although the newest automated CAPTCHA-cracking tactics are similar in some ways to those used previously by criminals, Prasad noted that the hackers are now using encryption to mask the instructions sent to the bots.
"The latest attack consists of encrypted communication between spammer bot servers and infected clients or compromised machines," said Prasad. "Spammers have adopted these tactics with a mindset to secure their operations from being exposed or detected." However, Prasad was able to pull apart the CAPTCHA bot's code and uncover how the instructions are passed between the individual bots and the central command-and-control server.
The actual CAPTPCHA deciphering takes place on the server, which then passes the decoded characters to the bot to register an account.
The hackers successfully bust Hotmail's CAPTCHA once every five to eight attempts, a success rate of between 12.5% and 20%. On average, it takes the botnet server 20 to 25 seconds to analyze the characters and report back to the bot with a CAPTCHA guess.
Previously, bots were able to break Microsoft's CAPTHCA in as little as six seconds , and have at times enjoyed success rates as high as 35% .
