Hackers have again managed to crack Microsoft’s CAPTCHA system, allowing them to set up thousands of accounts on the Windows Live Hotmail service and spam from them. This latest attack differs from previous ones in that the hackers no longer use command and control automation. This time they used encrypted communications between the spammers bot controlling servers and the infected PCs, also known as zombies, that they control.

According to security researcher Sumeet Prasad this is how it’s done:

          In this attack the CAPTCHA-breaking host or bot server injects encrypted instructions onto a compromised machine. The encrypted code includes templated sign-up instructions with the spammers’ predefined credentials, such as a Windows Live ID, password, first name and so on, along with CAPTCHA-breaking instructions such as “image send and code receive.”

The bot-infected client then decrypts and follows the instructions from the CAPTCHA-breaking host or bot server and connects to the Live Hotmail site to sign up for an account. The bot continues to the secured Live Hotmail signup page, where it attempts to fill in all predefined credentials. The compromised machine sends the CAPTCHA image request to the CAPTCHA-breaking host. The compromised machine receives the scrambled CAPTCHA code from the CAPTCHA-breaking host, descrambles it and completes the signup process.

The bot repeats this process over and over, potentially creating multiple accounts.

These accounts are then used to send millions of spam messages, many of which may contain malware designed to add even more machines to the spammer’s botnet. Spammers make such an effort to crack CAPTCHA systems because they know that their spam is unlikely to be blocked if it comes from a reputable domain. In fact the CAPTCHA cracking game has become a profitable business in countries such as India where spammers actually pay real people to solve CAPTCHA puzzles. There are automated cracking systems available in the shady cyber underground as well. Researchers are working hard to come up with new, more sophisticated CAPTCHA systems, but they have a delicate balancing act to master: producing a system that will foil hackers without frustrating legit users or making it impossible for visually impaired ones to get past it. There are several in development but so far no one has found just the right balance yet.