Experts say the Bredolab botnet is now linked to a spam engine called Webwail that has led to a huge spike in its activity. The spam it’s pumping out is nothing new-fake notifications from UPS claiming a package could not be delivered and directing the recipient to open the attached file to print out an invoice needed to pick it up. The attachment contains a hidden exe file that downloads the Cutwail Trojan and Webwail.

Webwail is a sophisticated engine that has library updates, a scripting engine and the ability to crack CAPTCHAs in 30 seconds or less. The engine also reports errors back to its command server so changes can be made quickly. Currently it’s being directed to create Hotmail accounts.

Captcha cracking is a hot business thanks to engines like Webwail. Botnet hearders and spammers advertise for people willing to crack them for .60 to .80  per 1000 CAPTCHA solved. Spammers want the free webmail accounts they can get by solving them so they can spam from an address not likely to be blocked by a spam filter.

Bredolab spent the holidays delivering the Zbot banking Trojan. Considered simplistic in the botnet world, Bredolab is little more than a “loader” that connects to a remote server, collects files, and executes them. Some experts think such loaders could be our next big threat.

Despite denials from Google, a security researcher continues to assert that the Search King’s reCAPTCHA system for protecting Web sites from spammers can be successfully exploited by Internet junk mail panderers.

Researcher Jonathan Wilkins published a paper recently that included an analysis of reCAPTCHA’s security. In automated attacks he conducted against the system, he reported he had an alarming success rate of 17.5 percent.

CAPTCHA–which stands for Completely Automated Public Turing test to tell Computers and Humans Apart–is a method for foiling automated attacks by spammers on Web sites. Before a Net surfer can perform at a site a task, such as setting up an email account or adding comments to a blog posting, he or she is presented with the image of a word or phrase that has been distressed in some way. The warped image is intended to thwart scanners and optical recognition software programs used to automate the compromising of web sites by spammers. The idea is that humans can read the characters in the image and type them into a form while machines can’t.

Some simple math reveals just how alarming Wilkins’ findings are. The operator of even a modest botnet of 10,000 machines would be perfectly happy with a success rate of 0.01 percent. That would mean 10 new gmail accounts could be created every second or 864,000 new accounts a day from which spam could be launched.

Google counters that Wilkins test targeted an old form of reCAPTCHA from 2008 that’s been changed. “[T]his study does not reflect the effectiveness of reCAPTCHA’s current technology against machine solvers,” a Google spokesperson told The Register. “We’ve found reCAPTCHA to be far more resilient while also striking a good balance with human usability, and we’ve received very positive feedback from customers.” Continue reading Google reCAPTCHA cracked»

A new report by security researchers claims that Google’s reCAPTCHA system is flawed – so flawed that it would allow a botnet with just 10,000 zombies to manage 10 recognition successes an hour resulting in over 850,000 fake accounts being registered each day. The researchers say the flaw is the same one that has plagued all CAPTCHA services -the human factor- but with a twist.

The Koobface botnet is distributing a new variant of its Trojan that forces the user of the computer it infects to solve a CAPTCHA. The user is presented with a Windows pop up directing them to solve the CAPTCHA provided or their system will be shut down. The solved CAPTCHA is then sent to the botnets C&C channel and used to create a fake Blogspot blog which is populated with content from Google News. Koobface uses SEO techniques to insure these blogs are packed with hot topics and sure to appear at the top of search engines. The links in these fake blogs redirect to a fake Facebook page where the user is directed to download a “flash player update” which is really the Koobface Trojan. The same technique is used to create fake Gmail and Facebook accounts which are also used to distribute the malware. Once Koobface infects a system it steals credit card numbers and other personal information.

The underground economy of human driven CAPTCHA solving is booming as well, further weakening the effectiveness of CAPTCHA systems. Services offering bulk orders of solved CAPTCHAs for Web 2.0 and social media services are exploding and prices are lower than ever. One service offers 1 million solved CAPTCHAs for $800. However, with Koobface taking CAPTCHA solving into its own hands, other malware distributors may follow suit, leading to the CAPTCHA solving industry’s demise.

Google denies that their reCAPTCHA is flawed, claiming the data used in the report is outdated.

           “Therefore, this study does not reflect the effectiveness of reCAPTCHA’s current technology against machine solvers,” said a Google spokesman. “We’ve found reCAPTCHA to be far more resilient while also striking a good balance with human usability, and we’ve received very positive feedback from customers.”

Researchers at Google have begun testing a new image based captcha they say can help sites fight back against spammers and fraudsters. The new captchas present the user with an upside down image. All they have to do is flip it so its right side up. Simple, right? Not for machines! It rejects any image that a computer may have learned to recognize, such as human faces.

          The new puzzles could be built around a site’s theme — for instance, cartoons at a Disney site, or objects for sale at eBay, said Rich Gossweiler, a senior research scientist at Google who led the team that developed the system. It can be put in place rapidly, he said, and has an almost limitless supply of images. “Our technique expands the vocabulary of captchas” beyond obfuscated characters, he said. “And it might make the process less of a chore. It’s fun to solve a puzzle.”

Since the traditional text based captchas have long since been cracked by scammers, this new image based type might be just what the doctor ordered. Text based captchas are easily solved by machines and in some cases, the scammers simply pay real people a few cents for every captcha they solve. This leads to thousands of fake email accounts being set up and used for spamming or phishing.

A new kind of audio captcha, used for people who are unable to handle the text or image varieties due to disabilities, is also being tested. This one uses phrases from old radio shows instead of random words. Researchers say this makes it much harder for machines to understand and solve.

Will these new captchas save the day and make the technology valuable again? Only time will tell.

Sometimes it seems as though a lot of effort is put into hiding email addresses, keeping them private, and screening them heavily for any trace of spam or unwanted email.  Of course at the end of the day email is an important business communication channel and needs to be open and usable to provide any value to an organisation.

While Bob in Accounting has few dealings with people outside of the business and doesn’t mind a strong spam filter protecting his email account, there is a good chance that Helen in Sales doesn’t feel the same way.  The sales team wants to receive new opportunities via email without the risk that a spam filter will block a message and lose them a valuable lead.

Oftentimes this means that an email address is publicly advertised on websites and marketing literature so that sales enquiries can be received.  Something nice and generic like sales[at]contoso.com is used, and the Sales team asks the email administrator to make sure no genuine enquiries are blocked. Continue reading Reducing Spam for Publicly Disclosed Email Accounts»

In a recent post at TheEmailAdmin, I grumbled briefly about how annoying CAPTCHAs can sometimes be. Scratch that. It’s not a case of “sometimes” – I find them to be annoying all the time! The problem I have is that I usually cannot read the things. Maybe I’m stupid, but it’s often the case that I simply cannot tell whether a particular sqiggly-wiggly line is supposed to be a “2″ or a “Z” or an “8″ or a ‘B’. Unfortunately, the bad guys seem to have no such problems and routinely break CAPTCHAs – see, for example, the post Microsoft’s CAPTCHA Cracked Again.

This leads to the question: are CAPTCHAs doomed? I suspect that the answer is, yup, there is very little doubt that CAPTCHAs will become a thing of the past. Here’s why:

1. I seriously doubt that it will be possible to devise a CAPTCHA that cannot be broken. Yup, people are working on CAPTCHAs which they claim will be much more difficult to break, but I don’t think that they’ll succeed. Where there’s a will there’s a way and, given enough inentive, the bad guys will almost certainly be able to find a back door.

Continue reading Are CAPTCHAs Doomed?»

Captcha was once cutting edge technlogy in the fight against spam, but not anymore. These days the systems are being cracked regularly, with Google, Microsoft, and Hotmail among the victims. Now, a 3D-based Captcha system claims to be both unbreakable and easier for humans to solve than the old text based systems.

The system was developed by social website Yuniti.com. It works by asking users to identify 3D objects rather than words or numbers. There are three objects to be identified and the list is endless, making it even harder for scammers to guess correctly.

This seems like an excellent idea. The current Captcha have lost most of their effectiveness. The ones that do still seem to work often frustrate legit users, and the last thing you want are potential customers leaving your site in disgust because the Captcha image they need to solve is too difficult to decipher. This costs you business and can lead to negative word of mouth among other potential customers.

You can try the new 3D Captcha at Yuniti.com. There’s no word yet on when it will be available for widespread use.

Hackers have again managed to crack Microsoft’s CAPTCHA system, allowing them to set up thousands of accounts on the Windows Live Hotmail service and spam from them. This latest attack differs from previous ones in that the hackers no longer use command and control automation. This time they used encrypted communications between the spammers bot controlling servers and the infected PCs, also known as zombies, that they control.

According to security researcher Sumeet Prasad this is how it’s done:

          In this attack the CAPTCHA-breaking host or bot server injects encrypted instructions onto a compromised machine. The encrypted code includes templated sign-up instructions with the spammers’ predefined credentials, such as a Windows Live ID, password, first name and so on, along with CAPTCHA-breaking instructions such as “image send and code receive.”

The bot-infected client then decrypts and follows the instructions from the CAPTCHA-breaking host or bot server and connects to the Live Hotmail site to sign up for an account. The bot continues to the secured Live Hotmail signup page, where it attempts to fill in all predefined credentials. The compromised machine sends the CAPTCHA image request to the CAPTCHA-breaking host. The compromised machine receives the scrambled CAPTCHA code from the CAPTCHA-breaking host, descrambles it and completes the signup process.

The bot repeats this process over and over, potentially creating multiple accounts.

Continue reading Microsoft’s CAPTCHA Cracked Again»