About Me

Francois Paget

Francois Paget
Senior Threat Researcher

Read More

Blogs

Feeds & Podcasts

Meet the Bloggers

Archive

Tags

#McAfeeFOCUS, #MFETrivia, #SecChat, #SecurityLegos, $1 million guarantee, 3DS, 3G, 12 Scams of Christmas, 99 things, 419 scam, 2011 Threats Predictions, 2012, 2012 London Olympics, 2012 Security Predictions, 2012 Virtual Sales Kickoff, Abbreviation, access to live fraud resolution agents, Account Takeover Scams, Accredited Channel Engineer, ACE, ACE certification partner, Acquisition, addiction, Adobe, adult online content, advance-fee fraud, Advanced Persistent Threat, advanced persistent threats, adware, AET, affiliate marketing schemes, Alex Merton-McCann, Alex Thurber, AMTSO, analysis, Android, Android/FakeToken, Android/FakeUpdates, Android/NickiSpy, android antivirus, Android Bot analysis, Android Dropper, Android Exploit, Android Malware, Android Malware Analysis, Android Market, Android Mobile Malware, Android Rooting Exploit, Android security, android security app, Android SMS broadcast, animation, Annual Partner Survey, Anonymous, Anonymous Group, anti-malware, anti-phishing, anti-spam, anti-spyware, anti-theft, anti-virus, anti-virus program pops up, Antievasion, antivirus, Antivirus software, APIs, App Alert, Apple, application blacklisting, application developers, applications, application security, app protection, apps, app safety, app security, APT, Arun Sabapathy, ASIC, ATM scams, ATM skimming, attack, attacks, Australia, authentication, automobile, automotive, AutoRun malware, AV-TEST.org, award, awards, Backdoor, Back To School, Bad Apps, balanced scorecard, bank accounts, bank fraud, banking, banking fraud, Belarus, Bernie Madoff, best practices, beyond the PC, Big Data, big security data, bill collectors call for nonpayment, Bin Laden Scams, Biological Computer, Bitcoin, BlackBerry, Black Hat, Blackhat, black hat hackers, blue screen, Bluetooth, book, bot, botnet, botnets, bots, Brazil, breach, Brent Sanders, bueno, buffer overflow, Business IT, C-SAVE program, Cameron Diaz, canada online scams, CanSecWest, car hacking, case study, celebrities, certification, chain mails, Change Control, channel partner, Channel Partners, Channel Partner Town Hall, Channel Program, Channels Town Hall, Charity Phishing Scams, child identity theft, children online safety, children safety online, child safety, Chile, China, chris barton, christmas, Christmas scams, christmas shopping, Christmas shopping concerns, Christmas shopping crimes, chromebook, CIO Insomnia Project, CISO Executive Summit, Citrix, Civil War, class action lawsuit, clickjacking, cloud, cloud apps, Cloud city, Cloud computing, Cloud Expo, cloud security, Cofer Black, collaboration, college students, Commercial/SMB, Commercial and Enterprise Deal Registration, Compliance, computer, computer issues, computers, computer security, computer support, conference, Conficker, consolidation, Consumer, consumerization, consumerization of IT, consumer threat alert, consumer threats, Consumer Threats Alert, Content Protection, Continuing Education, cookies, Corporate Responsibility, counter identity theft, creating safe passwords, creating strong passwords, credit card fraud, credit card fraud and protection, credit card skimming, credit card thefts, credit fraud alerts, credit monitoring, credit monitoring and resolution, credit scores, crimeware, critical infrastructure, cross-site scripting, CSP, currency, customer service, CVE-2012-0158, Cyber, cyber addiction, cyber attack, cyberattacks, cyber bullying, cyberbullying, Cybercrime, cybercrime, cybercriminal, cybercriminals, cyber criminals, cybercrooks, cyberespionage, cyber ethics, Cyber Insurance, Cyber Intelligence Sharing and Protection Act of 2011, cybermom, Cyber Monday shopping, cyber mum, cybermum, Cybermum India, Cyber risks, cybersafe, cybersafety, cyber safety for women, Cyber savvy mom, cyber scams, cyberscams and identity theft, cybersecurity, cyber security, cyber security awareness, cybersecurity concerns, Cyber Security Mom, cybersecurity mom, cybersquatter, cybersquatting, cyberterrorists, cyber threat, cyberthreats, cyberwar, dangerous searches, Darkshell, data, Database, database activity monitoring, database security, data breach, data breaches, Datacenter, data center, data center security, Data Classification, data loss, Data Loss Prevention, Data Protection, Data Protection Act, dating scams, Dave DeWalt, Dave Marcus, David Small, DDoS, Deal Registration, decade of cybercrime, deceptive online promotions, dedicated security appliances, Deep Command, Deep Defender, DeepDefender, Deepika Padukone, DeepSAFE, DefCon, DefCon Kids, denial of service, denied credit, Department of Commerce, device, Device Control, devices, dewalt, digital assets, digital assets worth, Digital Certificates, digital devices, digital gadgets, digital music and movie report, distributed denial of service, DLP, Dmitri Alperovitch, DoS, DougaLeaker, download, downloader, downloaders, drivers license, drivers license identity theft, dumpster diving, Duqu, e-card scams, e-gold, e-mail id, earnings, easter, Easter scam, eBay, ecards, ecard spam, eCommerce, Ecuador, education, Eelectric Vehicle, EFF, election, email, Email & Web Security, Email & Web Security, email accounts, Email Protection, email scam, email scams, email security, email spoofing, embedded, embedded devices, Embedded Security, EMEA, Emerging Markets, Emerging Market Security, EMM, employment fraud, Employment Identity Theft Scams, encryption, Endpoint Protection, Endpoint Security, Endpoint security suite upgrade, energy, Enhanced Deal Registration, enterprise, enterprise mobility, enterprise resource planning, enterprise scurity, enterprise security, epayment, epo, ePO Deep Command, ePO DeepCommand, ePolicy Orchestrator, Epsilon, epsilon security breach, ERP, ESM, espionage, etiquette, EV, Exif, exploit, Exploit for Android, exploiting real brand names, exploits, facebook, Facebook Security, Facebook spam, Facial recongnition, fake-av, fake alert, fake ant, fake anti-virus software, fake anti virus, Fake AntiVirus, Fake Anti Virus Scams, fake emails, Fake Identity, fake software, fake system tool programs, fake updates, fake websites, false, families online, family, family identity safety, family online safety, family protection, Family Safety, Farmville, FBI, FDCC, fictitious identity theft, FIFA, file sharing, financial scams, Financial Security, Firesheep, firewall, FISMA, Fixed Function Devices, Flash, flashback, Focus, Focus11, FOCUS 2011, forrester, forwards, Foundstone, France, France Law, fraud, fraud resolution, fraud resolution agent assistance, fraudulent credit card or bank charges, free, Free gift card scam, Free giveaway scam, freely downloadable morphing tool, free money scam, free money scams, free WiFi spots, french, French Law, Friday Security Highlights, FTC, games, gaming, gaming consoles, Garter, Gartner, Gartner Security and Risk Management Summit, Gavin Struthers, Gaza, George Kurtz, geotag, gift cards and iPad promotions online, gift online shopping, gift scams, Global Cybersecurity, Global Payments, Global Risk 2012 report, Global SecurityAlliance Partner Summit, global threat intelligence, gmail, gold software support, good parenting, google, google code, Google Play, government, GPS, gratis, GSM, GTI, hacker, Hackers, hackers steal credit card numbers and sensitive personal data, hacking, Hacking Exposed, Hacktivism, Hacktivity, harassment, HB1140, Healthcare, heidi klum, Here you have worm, Heuristics, Hi5, HIPAA, Hispanic, hoax, hoax - slayer, holiday gifts, holiday malware, Holidays, holiday scams, holiday screensavers, holiday shopping, holiday shopping fraud, holiday websites, home network issues, host intrusion prevention, Host IPS, household devices, how to protect devices, how to secure wireless connection, how to set up wi fi, how to talk to kids, how to talk to teens, HV, Hybrid Vehicle, ICS, IDC, identify potential cyber-threats, identify spam, identity as a service, identity exposure, identity fraud, identity fraud scams, Identity Management, identity protection, identity protection $1 million guarantee, identity protection alerts, identity protection fraud, identity protection surveillance, identity surveillance, identity theft, identity theft celebrities, identity theft expert, identity theft fraud, identity theft protection, identity theft protection identity protection fraud, identity theft protection product, identity theft resolution, identity theft ring, identity theft risk, identity theft scams, identity theft tax scams, Identity thieves and cybercriminals, identity threat protection, IDF 2011, ID theft, iframe, IIM Bengaluru suicide case, illegal immigrants, impersonation, in.cgi, Incident Response, Incumbency Advantage Program, India, India cybermum, Indian kids, Indonesia, industrial control systems, infected mobile apps, information collected by advertisers or social media marketing, Information leak, Information Protection, Information Security, Information Warfare, Infrastructure, Initiative to Fight Cybercrime, innovation, insiders, Insider Threats, integration, Integrity, Integrity Control, intel, Intel Cloud SSO, intellectual property, internet addiction, internet connected devices, Internet Explorer, Internet filtering, internet identity trading surveillance, Internet monitoring, Internet Phishing Scams, internet privacy, Internet Safety, internet security, internet security tips, internet time limits, Interop, in the cloud, IntruShield, intrusion prevention, In vehicle Infotainment, investment scams, iOS, IP, iPad, iPad scams, iphone, IPS, IPv6, IRCBOT for android, IRS, IRS scams, I Series, IT, IT as a Service, itouch, IT Security, IT Security market, Japan, japan earthquake malware, japan earthquake safe donation, japan earthquake scams, japan tsunami scams, java, JavaScript, job applications, Joe Sexton, John Bernard Campbell, julian Assange, kama sutra koobface, Katrina Kaif, keep family PC safe, Kernel 0day vulnerability, keycatchers, keyloggers, kids, kids online behavior, kids online safety, kids safety, king county, koobface, kurtz, labs, laptops, Larry Ponemon, LART, Late Payment Scam, law, law enforcement, LCEN, legal, legal identifier, legal risk, Legos, linkedin, Linux, Linux/Exploit:Looter Analysis, Linux and Windows, live-tweeting, live access to fraud resolution agents, lizamoon, Lloyds, Location services, Lockheed Martin, logging out of accounts, login details, LOIC, Looter Analysis, Lori Drew, loss of gadgets, lost, lost or stolen driver’s license credit cards debit card store cards, lost or stolen Social Security card or Social Security number, lost or stolen wallet, lost wallet protection, lottery, luckysploit, LulzSec, M&A, mac, mac/OSX, Mac antivirus, mac malware, Mac malware and threats, Mac OSX, Mac OS X, Mac security, mac threat, mailbox raiding, Mail fraud, mail order bride spam, Malicious Android Application, malicious apps, malicious files, malicious program, Malicious QR Code, malicious sites, malicious software, malware, Malware Experience, malware forums, Malware research, malware threats, malweb, managed security services, Management, managing personal affairs online, map, mapping the mal web, maps, Marc Olesen, Mariposa, mass mailing worm, mass sql injection, mastercard, Maturity Model, mcaf.ee, McAfee, Mcafee's Who Broke the Internet, McAfee-Synovate study, mcafee all access, McAfee AntiSpyware, McAfee Antivirus Plus, McAfee Application Control, McAfee Channel, McAfee Channel Partner, McAfee Cloud Security Platform, McAfee Consumer Threat Alert, McAfee Data Loss Prevention, Mcafee DLP, McAfee Email Gateway 7.0, McAfee EMM, McAfee Employees, McAfee Enterprise Mobility Management, McAfee ePO, McAfee ePolicy Orchestrator, McAfee Facebook page, McAfee Family Protection, McAfee Family Protection for Android, McAfee Firewall Enterprise, McAfee FOCUS, McAfee FOCUS 2011, McAfee Identity Protection, mcafee identity theft protection, McAfee Initiative to Fight Cybercrime, McAfee Internet Security, McAfee Internet Security for Mac, mcafee internet security for mac; mcafee family protection for mac, McAfee Labs, McAfee Labs Q3 Threat Report, McAfee Labs Report, mcafee mobile, McAfee Mobile Security, McAfee MobileSecurity, McAfee MOVE, McAfee MOVE AV, McAfee Network Security Platform, McAfee Network Threat Response, McAfee NSP, McAfee Partner, McAfee Partner Learning Center, McAfee Partner of the Year Award, McAfee Partner Program, McAfee Partner Summit, McAfee Policy Auditor, McAfee Q4 2011 Threat report, McAfee research, McAfee Rewards, McAfee Risk Advisor, McAfee Safe Eyes, McAfee Safe Eyes Mobile, McAfee Scan and Repair, McAfee SECURE, McAfeeSECURE, mcafee secure shopping, McAfee Security Journal, McAfee Security Management, McAfee security products, McAfee security software, McAfee security software offer, McAfee Security Webinars, McAfee SiteAdvisor, McAfee Site advisor, mcafee spamcapella, McAfee TechMaster services, McAfee Threat Predictions, mcafee threat report, mcafee total protection, McAfee Vulnerability Manager, McAfee Vulnerability Manager for Databases, mcafee wavesecure, McAfee® Internet Security Suite, McCain, medical identify theft, Medical identity theft, medical records, michael jackson, Microsoft, Microsoft Security Bulletin, Mid-Market, Middle East, Mike Decesare, Mike Fey, MMORPG, Mobile, mobile antivirus, mobile app, mobile applications, mobile apps, mobile banking, mobile carriers, Mobile Commerce, mobile data communications, Mobile Data Protection, mobile data protocols, mobile device, mobile devices, mobile devices and security threats, mobile devices issues, mobile identity security, mobile malware, mobile phones, mobile phone spyware, mobile protection, mobile safety tips, mobile scam, mobile security, mobile security app, mobile security software, mobile smartphone security, mobile spam, mobiles security, mobile threats, mobile wireless internet security concerns, Moira, Moira Cronin, mom, money laundering, monitor a child’s identity, monitor credit and personal information, monitoring, Morphing, most dangerous celebrities, Mother's day, mothering, mothering advice, mothering boys, mothering Internet safety, Mother’s day spam, movies, MS12-020, M Series, msn spaces, multiple devices, multiple social security numbers, mum, Mummy blogger, myspace, MySQL, mystery shoppers, NACACS, national cybersecurity awareness month, National Cyber Security Awareness Week, national identification card, NCSA, ndr, near field communication, Netbook, netiquette, Network Evasions, Network Perimeter Security, Network Security, Network Security; Email & Web Security; Security-as-a-Service, network security server security, New teen survey, new year resolution, New York Times, next-gen IPS, Next Generation, next generation data center, Next Generation IPS, NFC, NickiSpy, Nigerian 419 Scam, nigerian scam, Night Dragon, NIST, Nitol, NitroSecurity, Nitro Security, NitroView, north america, North Korea, NotCompatible, Oak Ridge National Laboratory, obama, Occupy Wall Street, OCTO, OLE, olympics, Olympic scams, OMB, online, Online Backup, online banking, online banking safely, online book shopping, online bookstore, online child safety, online coupon scams, online credit fraud, online danger, online dangers, online dating, online e-tailers, online ethics, online fraud, online game, online games, online game spam, online gaming, online gangs, online harassment, online marketing sites, online personal data protection, online predators, online safety, online safety for kids, online safety of kids, online safety tips, online scams, online search, online security, online security education, online shopping, online shopping risks, online shopping scams, online shopping threats, online spam, online surfing, online survey scam, online threat, onlinethreats, online threats, online video, Open Source, operational risk, Operation Aurora, Operation Shady RAT, Optimized, Orange, organized crime, organized criminals, OS/X, oscars, outages, outlook, OWASP, P2P, PARC, parental advice, Parental control, parental controls, Partner Acceleration Resource Center, Partner Care, partners, Partner Summit, passport, password, password complexity check, passwords, password security, password stealer, Pastebin, patch, Patch Tuesday, Patmos, Paul Otellini, pay-per-install malware, Payload, payment, paypal, PC, PC Addiction, PCI, PCI Compliance, PCI DSS, PCs, pc security, PDF, pedro bueno, peer to peer, Peer to Peer file sharing, Pemberton, perception, personal identity fraud, personal identity theft, personal identity theft fraud, personal information, personal information loss, personal information over mobile phones, personal information protection, Personal information security, personal privacy, personal protection, peter king, Phantom websites, phishing, phishing kits, phishing scams, phishing shareware, pickpockets, pic sharing, piers morgan, PII, Pin scams, pinterest scam, piracy, Playstation, policies, Ponemon Institute, Ponzi scam, pop ups, pornography, Postcode Lottery, posting inappropriate content, posting videos online, PostScript, potential employers, Potentially unwanted program, power grid, power loss, Pre-detection, Pre-Installed Malware, predictions, Premium SMS Trojan, president obama, Printers, privacy, Privacy Awareness Week, privacy setting, privacy settings, proactive identity protection, proactive identity surveillance, Products, promotion, Protect all devices, protect devices, protect digital assets, protection, protect teens, provide live access to fraud resolution agents, Public-Private partnerships, public policy, Public Sector, puget sound, Pune Police, pup, PWN2OWN, pws, qr code, QR codes, quarterly threat report, Ramnit, RAT, rdp, Rebecca Black, Records phone conversations, reference architecture, regulation, regulations, Renee James, reporting, reputational risk, Rep Weiner, research, resolutions, responsible mail, restore credit and personal identity, retail, RFID, ring tones, risk, Risk Advisor, risk and, Risk and Compliance, Risk Management, risk of personal information loss, risks of online shopping, risky, Riverbed, Robert Siciliano, roberts siciliano, rogue anti-virus software, rogue applications, Rogue Certificates, ROI, romance scams, Rookits, Rooting Exploit, rootkit, RootkitRemover, Rootkits, RSA, RSA 2010, RSA 2012, RTF, Russia, s, SaaS, SaaS Monthly Specialization, SaaS security solutions, safe, safe email tips, safe online shopping, safe password tips, Safe search, safe searching, Safe surf, safe surfing, safe transactions, SAIC, Salesforce.com, Saudi Arabia, Saviynt Access Manager, SCADA, scam, scammers, scams, SCAP, scareware, SchmooCon, schools, screensavers, sear, search, Search engine optimization, Search engine poisoning, SEC Guidance, SecTor, secure cloud computing, Secure Computing, secure container, secure data, secure devices, secure new devices, secure smartphone, secure wi fi, security, Security-as-a-Service, Security 101, Security and Defense Agenda, security attacks, security awareness, security breach, security breaches, security conferences, Security Connected, Security Connected Reference Architecture, Security Influence, security information and event management, security landscape, security management, security metrics, security optimization, security policy, Security Seals, security software, security threats, self-defence, sensitive data, sensitive documents, Sentrigo acquisition, seo abuse, settings, sexting, Shady RAT, SharePoint, shopping scams, shortened URLs, short url, SIA Partners, SIEM, simple safety tips, SiteAdvisor, site advisor, Situational Awareness, SlowLoris, Small Business, Smart Grid, smartphone, smartphones, smartphone safety, smartphone security, smart phone threats, SMB, SMB Advisor Tool, SMB Extravaganza, SMB Specialization, smishing, sms, SMS Lingo, sniffing tools, social business, social engineering, social media, social media online scams, social media passwords, social media threats, social network, social networking, social networking best practices, social networking scams, social networking sites, social networking sites security, social networks, social responsibility, Social Security, Social Security Card, social security number, Social Security number fraud, social security number theft, Social Security number thefts, software, Software-as-a-Service, solid state drive, Sony, South Korea, spam, spam mail, Spams, spear, Spearphishing, Spellstar, SpyEye, Spyware, sql attacks, SQL Injection, SSN fraud, st. patricks day, State of Security, stay protected online, stay safe from phishing, Stealth, stealth attack, stealth crimeware, stealth detection, Steve Jobs, Stinger, stolen cards, stolen mail, stolen medical card, stolen passwords, stolen Social Security number thefts, Stop.Think.Connect, storage, student loan applications, Stuxnet, subscription, substation, Suites, summer activities, Summer holidays, summer vacation, Support, support services, surfing, suspicious messages, swine flu, Symbian, T-Mobile, Tablet, tablets, tablet security, TAGITM, targeted attacks, taxes, tax filing tips, taxpayer warning, Tax Preparer Scams, tax returns, tax scams, tax season reminder, TCO, teacher abuse over the internet, Tech Data, tech gifts, technical support, technology development, technology trends, teen hate video, teens, teens online dating, teens online safety, teens posting video, Telecommunications, Testing, text message, text messaging, The VARGuy, threat, threat reduction, Threats, threats on women's day, thurber, Tips, tips and tricks, Tips for Consumers, tips to mobile security, tips to stay safe online, TJX, Todd Gebhart, toolkit scam, tools, Total Protrection 2012, TPM, traffic manager, travel related online scams, travel risk, travel security, trending topics, trojan, trojan banker, trojans, Trust and Safety, Trusted Computing Module, trustedsource, trusted websites and web merchants, Trustmark Security, tweens, tweet, Tweets, twitter, Twitter celebrities, Twitter online security, twitter spam; phishing; twitter scam, type in website address incorrectly, types of phishing, typing in incorrect URLs, typos, typosquatting, U.S. Cyber Challenge Camps, UAE, Ultrabook, unauthorized credit card transactions, Underground Economies, unique password, United Arab Emirates, unlimited technical support, unprotected PCs, unsecured unprotected wireless, unsecured unprotected wireless security risks, unsecured wireless, Unsecure websites, unsubscribe, UPS scam, UPS scams, urchin.js, URL hijacking, URL shortening services, USB drives, use of cookies advertising personal security, use of Social Security number (SSN) as national ID, US ESTA Fee Scam, US passport, US Visa Waiver Program scam, valentine scams, valentines day scams; romance scams; email spam, valentines day scams; romance scams; valentine threats, Vanity Fair, vbs, Vericept DLP, verify website's legitimacy, ViaForensics, video game, vinoo thomas, violent video games, Virtualization, VIrtual Machines, Virtual Sales Kickoff 2012, virus, Viruses, Virus protection, VirusScan Enterprise with ePO 8.8, visa, vista, VMworld 2011, Vontu DLP, vPro, vulnerability, vulnerability management, Vulnerability Manager, vulnerability manager for databases, waledac, WAN, water facility, water pumps hacked, water treatment facilities hacked, wave secure, web, Web 2.0, Webinar, web mobs, web protection, web searches, web security, Websense DSS, Web services, web sites, web threats, welfare fraud, wells fargo, what to do when your wallet is lost missing or stolen, white hat hackers, Whitelisting, Wi-Fi WEP WAP protection breach, wifi, Wii, wikileaks, windows, Windows 7, Windows Mobile, Wind River, work with victim restore identity, World Cup, world of warcraft, worm, Worms, wrong transaction scam emails, www.counteridentitytheft.com, Xbox, Xerox, xirtem, xmas, xss, youth, youtube, you tube videos, Zbot, Zero-Day, ZeroAccess, zeus, zombie, zombie computers, zombies, • Facebook etiquette, • Most dangerous celebrity, • Parental control
McAfee Labs :

Cracking CAPTCHA: Another Russian Business

Friday, October 10, 2008 at 11:37am by Francois Paget
Francois Paget

We’ve already written about CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), the mechanism used to protect web sites, forums, and mailing systems against the automatic creation of accounts and contents. As my colleague Tad Heppner wrote in his November 2007 post, most common CAPTCHA systems work by generating distorted characters, text, or pictures that can be easily recognized by the human brain but present significant difficulty for computer-based optical character recognition or other image-recognition systems.

It should come as no surprise, however, that spammers continue to try to crack CAPTCHA. We’ve now seen a new version of a professional spammer tool on the web. XRumer 5 sells for $520 and promises advanced CAPTCHA decoding methods.

For a long time spammers have searched to defeat CAPTCHA mechanisms to create fake email accounts to send spam. Before telling you more about this new crooked utility, let’s review some older techniques used by spammers.

As shown in the following image (source XMCO), the most common CAPTCHA methods can be broken.

The first method of cracking is manual. People from developing countries offer services. The competition is intense. On some dedicated forums, proposals surge in from Vietnam or Bangladesh. They claim that lots of people are ready to work 24 hours a day to process hundred of thousands of CAPTCHA. Rates vary from $8 to $1 per 1,000 CAPTCHA.

A less expensive solution consists in using private individuals to do the work free of charge. I am sure some readers remember this unusual offer, in which it was possible to undress “Melissa” in exchange for some CAPTCHA work. This allowed a spammer to create fake Yahoo Mail accounts.

It is also possible to find free web services. The CAPTCHA Killer web site offers such services. Its designer claims the offer “is 100% focused on increasing accessibility on the Internet” for the “1 Million Americans that suffer from blindness.” The service makes available an API to automate the process. However, I was not surprised to read a cross-reference on that site saying they have been notified that using CAPTCHA Killer with Myspace was against the latter’s Terms of Service.

A very technical approach uses rainbow tables, in which each CAPTCHA image is associated with its character string. In March 2008, someone nicknamed Maluc created PHP scripts to download, extract, and save thousands CAPTCHA images from Yahoo, Google, and Hotmail. When finished, each collection will help spammers create new recognition tables or verify the accuracy of its OCR algorithm. When successful, only one millisecond is needed to compare a new footprint with the ones included in the database. You have to pay between $1,500 and $5,000 for such algorithms, which suppress the noise, create a black-and-white picture, break it into segments (one letter per segment), and identify the character.

A programmer called Wangrun in the Chinese province of Anhui says he developed software to decode CAPTCHA systems. Depending on the complexity of the CAPTCHA image, he charges between $500 and $6,000 per decoder. No price is quoted for the most difficult images but, in a comment, he writes it is feasible. Wangrun declines to say what his customers use the decoders for, but says he has “very many” of them.

Spammers can also use zombie machines to help them crack CAPTCHA. We’ve read on the Virus Bulletin web site that compromised systems making up a large botnet were recently used to help in the registration process for Windows Live Mail accounts. When the bot (detected by VirusScan as Generix.dx) asked for registration, it received a CAPTCHA and immediately presented its image to a central server that attempted to decode it and returned the result. The decipher technique was successful only around 35 percent of the time, VB said, but a new idea was launched. The fact that large numbers of infected systems were running repeated attempts suggests a high number of new accounts for spamming were created at that time.

Finally, turnkey tools are another method for defeating CAPTCHA defenses. XRumer 5 is one of them. It can flood message and links forums, guestbooks, blogs, wikis, etc. It automatically finds and fills in required fields with no need of a browser. If the forum requires registration, the program will register, log in, and post the spammer text. XRumer goes beyond JavaScript protection, pictocode protection (typing a number displayed in a box), and protection by e-mail activation. If a CAPTCHA image is detected, the program automatically downloads it, analyzes it, and fills in the form.

Version 5 can work on most recent versions of popular engines such as VBulletin, IPB, and phpBB, according to its creator. XRumer can also create accounts on gmail.com for posting. And its clients seem happy. One of them wrote last week on a forum “all that for only $500? It’s very cheap! I’d easily charge 2k for that. Solving gmail captcha is no joke. I paid 4k just for that from an OCR developer. ”¦”

XRumer is also able to solve the “pick the cat captchas” presented in picture below.

On October 3, XRumer’s maker explained he analyzed many forums and discovered that most of this type of CAPTCHA used identical pictures. Thus XRumer can distinguish them by their sizes in bytes. And it concludes: “It’s so easy, isn’t it? Oh, they can make some distortion on images? Well, we have a time to improve our algorithm. We analyze forums, blogs, guestbooks permanently, and there is one important thing: that type of captchas used not more than 0,01% of resources (1 of 10,000 sites).”

Once again, we are reminded that malware design is a business. And once again, my searches drive me to Russia, where criminals create and employ malicious software as well as engage in identity theft and virtual prostitution. The company or individual behind XRumer appears to be the same as that which proposed an automated sex-talk service called CyberLover.ru in 2007. One name I got from a whois request today is Alexander Ryabchenko. When the media pointed the finger at him in 2007, Ryabchenko emailed to Reuters that he could not be accused of identity theft with the CyberLover concept. He explained “the program can find no more information than the user is prepared to provide.”

If anyone should ask Ryabchenko why he commercializes XRumer, I suggest he repeat the CAPTCHA Killer web site argument: to help the million people suffering from blindness.

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

CAPTCHA Image

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (9)

  • Marget June 9, 2009 1:32AM

    Once it successfully registers, XRumer may take steps to avoid human detection by first posting an innocuous question regarding a specific product or service. The point of all the subterfuge is to boost the Google page rank of a site by bombarding multiple forums with product/service mentions and discussions. Users that can be tricked into posting their own links (perhaps in an attempt to demonstrate where a product may be found) only help the program perform its primary function.

    Reply
  • Mark S March 11, 2009 6:15AM

    @BenG, obviously you have no idea how to protect forms. I don’t care how much code you deploy for the bot to enumerate the form fields. If I setup100 buttons with the form with only one button visible your lousy bot now has to go through the stylesheet(s) given for the particular page and particular load and start decoding the css to find out which of the 100 buttons is the right one. Good luck with that, you have my sympathy.

    I have integrated simple HTML forms for reviews on sites with thousands daily unique ips, and never had a single spam incident. But hey keep the captchas they make your pages colorful too.

    Reply
  • Ben G February 17, 2009 5:09AM

    to Mark S.
    wow. I’m not quite sure where to start, you’re so off the mark. Bots don’t care how complex your html pages are, or how many fields are required, etc. It is a _very_ simple task to write software to enumerate all of the fields on a static html page, fill in every field & then submit. The point isn’t to send spam to the world, but to start a DoS attack against your protection for various reasons: spite, curiousity, making defenses fail in order to attack, etc.

    CAPTCHA are not “marketing ploys”, they’re just a tool designed to stop bots from bringing down your site. I suppose you think firewalls are just a salesman’s gimmick & you don’t need ‘em either.

    Reply
  • Jimm B November 17, 2008 2:51PM

    here is another captcha killer
    www.captchabot.com

    Reply
  • Dog-man November 15, 2008 7:10PM

    intresting, it is a never-ending cat and mouse game, im working ong a program that generates random CAPTCHA …if intrested let me know.
    Dog-mn

    Reply
  • Mark S November 2, 2008 7:37AM

    It’s a total waste of time deploying captchas if it’s to block automatic forms submission. You should use plain html instead. It is completely transparent to your human visitors no crossed images and no active content, no jscripts or the like.

    what’s this with the captchas anyways? another marketing opportunity? If forms aren’t complex enough, lets add some extra lousy input boxes and images, maybe they’ll attract more visitors right?

    Reply
  • Alex October 24, 2008 9:14PM

    Xrumer and other programs for spam will die only when search engines will refuse link popularity. Thanks for interesting article.

    Reply
  • Simon Hunt October 14, 2008 7:41AM

    Very interesting article!

    Reply
  • Capri October 13, 2008 7:11PM

    Visual image captchas are bad. They block out and discriminate against visually impaired users, punishing them as spammers.

    Visual verification that requires you to enter characters in an image you see, or answer a question about what’s in an image you see, blocks out anyone with a visual impairment.

    Clicking to get a larger image displayed does nothing at all for people with severe vision impairments who cannot even read large print.

    Audio captchas are becoming available on a growing number of sites, but even they aren’t good enough. The deaf-blind use braille displays and cannot see a picture or hear a corresponding sound.

    Captchas force the blind to surrendor what independence they once had on site registration and forms, reducing them to begging a sighted person or site admin for help in account creation, form submittal, group creation, anywhere there is a manditory visual verification code.

    As if that wasn’t bad enough, Many of these captcha-using sites add further insult to the visually impaired when they demand you to prove you are human by entering in a visual code. If you are blind and you cannot see an image, does that disqualify you as a member of the human race? According to captcha, yes!

    This is not a tiny little inconvenience that occurs every once in a blue moon, but an ongoing, day to day problem. Trying to register, make comments, create groups, or fill out any form to completion is a crapshoot if you are visually impaired. If you are on your own, trying to make a submission on a site and you are pressed for time, you are completely out of hope when you run up against a captcha and there is no one you can get to help you.. Site administrators may or may not have time or the desire to help you.

    When you find yourself running up against this cyber face-slapping half or more than half the time you try to make submissions to various sites, it is demoralizing. You are told again and again that you are not welcome, you are not human, forced to pester a site administrator or someone else for help with something you could do on your own before, and as far as the site administration goes, you do not exist and are not worth consideration.

    It’s infuriating and a threat to the dignity of people who are at the mercy of visual verification captchas.

    In addition to blind users having the door shut in their faces at sites that use visual captchas, It is evident that spam problems still occur as much as ever on sites that use captchas, proving captcha to be a cure that’s worse than the disease.

    If a site administrator feels so strongly that they must employ a captcha, there is a newer, truly accessible variety that should be more effective. It prompts you with a question in text format and requires you to fill in the answer. the questions should not require a person to be able to see an image to answer.

    Bad examples: Which number in the picture is red?” “Which animal in the picture above has four legs?” How is someone who can’t read print and has to rely on a screenreader supposed to know that?

    Good examples: “How many legs does a cat have?” “What’s 2+2?” Math questions can be asked in a number of different ways to hault a bot and still be accessible to a user. “What’s 6 divided by 2?” What’s 5 added to 3?” Even “What color is an orange?” is still a good example, because everyone except the bots, sighted or not, knows the answer.

    Reply