About Me

Francois Paget

Francois Paget
Senior Threat Researcher

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

Cracking CAPTCHA: Another Russian Business

Friday, October 10, 2008 at 11:37am by Francois Paget
Francois Paget

We’ve already written about CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), the mechanism used to protect web sites, forums, and mailing systems against the automatic creation of accounts and contents. As my colleague Tad Heppner wrote in his November 2007 post, most common CAPTCHA systems work by generating distorted characters, text, or pictures that can be easily recognized by the human brain but present significant difficulty for computer-based optical character recognition or other image-recognition systems.

It should come as no surprise, however, that spammers continue to try to crack CAPTCHA. We’ve now seen a new version of a professional spammer tool on the web. XRumer 5 sells for $520 and promises advanced CAPTCHA decoding methods.

For a long time spammers have searched to defeat CAPTCHA mechanisms to create fake email accounts to send spam. Before telling you more about this new crooked utility, let’s review some older techniques used by spammers.

As shown in the following image (source XMCO), the most common CAPTCHA methods can be broken.

The first method of cracking is manual. People from developing countries offer services. The competition is intense. On some dedicated forums, proposals surge in from Vietnam or Bangladesh. They claim that lots of people are ready to work 24 hours a day to process hundred of thousands of CAPTCHA. Rates vary from $8 to $1 per 1,000 CAPTCHA.

A less expensive solution consists in using private individuals to do the work free of charge. I am sure some readers remember this unusual offer, in which it was possible to undress “Melissa” in exchange for some CAPTCHA work. This allowed a spammer to create fake Yahoo Mail accounts.

It is also possible to find free web services. The CAPTCHA Killer web site offers such services. Its designer claims the offer “is 100% focused on increasing accessibility on the Internet” for the “1 Million Americans that suffer from blindness.” The service makes available an API to automate the process. However, I was not surprised to read a cross-reference on that site saying they have been notified that using CAPTCHA Killer with Myspace was against the latter’s Terms of Service.

A very technical approach uses rainbow tables, in which each CAPTCHA image is associated with its character string. In March 2008, someone nicknamed Maluc created PHP scripts to download, extract, and save thousands CAPTCHA images from Yahoo, Google, and Hotmail. When finished, each collection will help spammers create new recognition tables or verify the accuracy of its OCR algorithm. When successful, only one millisecond is needed to compare a new footprint with the ones included in the database. You have to pay between $1,500 and $5,000 for such algorithms, which suppress the noise, create a black-and-white picture, break it into segments (one letter per segment), and identify the character.

A programmer called Wangrun in the Chinese province of Anhui says he developed software to decode CAPTCHA systems. Depending on the complexity of the CAPTCHA image, he charges between $500 and $6,000 per decoder. No price is quoted for the most difficult images but, in a comment, he writes it is feasible. Wangrun declines to say what his customers use the decoders for, but says he has “very many” of them.

Spammers can also use zombie machines to help them crack CAPTCHA. We’ve read on the Virus Bulletin web site that compromised systems making up a large botnet were recently used to help in the registration process for Windows Live Mail accounts. When the bot (detected by VirusScan as Generix.dx) asked for registration, it received a CAPTCHA and immediately presented its image to a central server that attempted to decode it and returned the result. The decipher technique was successful only around 35 percent of the time, VB said, but a new idea was launched. The fact that large numbers of infected systems were running repeated attempts suggests a high number of new accounts for spamming were created at that time.

Finally, turnkey tools are another method for defeating CAPTCHA defenses. XRumer 5 is one of them. It can flood message and links forums, guestbooks, blogs, wikis, etc. It automatically finds and fills in required fields with no need of a browser. If the forum requires registration, the program will register, log in, and post the spammer text. XRumer goes beyond JavaScript protection, pictocode protection (typing a number displayed in a box), and protection by e-mail activation. If a CAPTCHA image is detected, the program automatically downloads it, analyzes it, and fills in the form.

Version 5 can work on most recent versions of popular engines such as VBulletin, IPB, and phpBB, according to its creator. XRumer can also create accounts on gmail.com for posting. And its clients seem happy. One of them wrote last week on a forum “all that for only $500? It’s very cheap! I’d easily charge 2k for that. Solving gmail captcha is no joke. I paid 4k just for that from an OCR developer. ”¦”

XRumer is also able to solve the “pick the cat captchas” presented in picture below.

On October 3, XRumer’s maker explained he analyzed many forums and discovered that most of this type of CAPTCHA used identical pictures. Thus XRumer can distinguish them by their sizes in bytes. And it concludes: “It’s so easy, isn’t it? Oh, they can make some distortion on images? Well, we have a time to improve our algorithm. We analyze forums, blogs, guestbooks permanently, and there is one important thing: that type of captchas used not more than 0,01% of resources (1 of 10,000 sites).”

Once again, we are reminded that malware design is a business. And once again, my searches drive me to Russia, where criminals create and employ malicious software as well as engage in identity theft and virtual prostitution. The company or individual behind XRumer appears to be the same as that which proposed an automated sex-talk service called CyberLover.ru in 2007. One name I got from a whois request today is Alexander Ryabchenko. When the media pointed the finger at him in 2007, Ryabchenko emailed to Reuters that he could not be accused of identity theft with the CyberLover concept. He explained “the program can find no more information than the user is prepared to provide.”

If anyone should ask Ryabchenko why he commercializes XRumer, I suggest he repeat the CAPTCHA Killer web site argument: to help the million people suffering from blindness.

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (9)

  • Marget June 9, 2009 1:32AM

    Once it successfully registers, XRumer may take steps to avoid human detection by first posting an innocuous question regarding a specific product or service. The point of all the subterfuge is to boost the Google page rank of a site by bombarding multiple forums with product/service mentions and discussions. Users that can be tricked into posting their own links (perhaps in an attempt to demonstrate where a product may be found) only help the program perform its primary function.

    Reply
  • Mark S March 11, 2009 6:15AM

    @BenG, obviously you have no idea how to protect forms. I don’t care how much code you deploy for the bot to enumerate the form fields. If I setup100 buttons with the form with only one button visible your lousy bot now has to go through the stylesheet(s) given for the particular page and particular load and start decoding the css to find out which of the 100 buttons is the right one. Good luck with that, you have my sympathy.

    I have integrated simple HTML forms for reviews on sites with thousands daily unique ips, and never had a single spam incident. But hey keep the captchas they make your pages colorful too.

    Reply
  • Ben G February 17, 2009 5:09AM

    to Mark S.
    wow. I’m not quite sure where to start, you’re so off the mark. Bots don’t care how complex your html pages are, or how many fields are required, etc. It is a _very_ simple task to write software to enumerate all of the fields on a static html page, fill in every field & then submit. The point isn’t to send spam to the world, but to start a DoS attack against your protection for various reasons: spite, curiousity, making defenses fail in order to attack, etc.

    CAPTCHA are not “marketing ploys”, they’re just a tool designed to stop bots from bringing down your site. I suppose you think firewalls are just a salesman’s gimmick & you don’t need ‘em either.

    Reply
  • Jimm B November 17, 2008 2:51PM

    here is another captcha killer
    www.captchabot.com

    Reply
  • Dog-man November 15, 2008 7:10PM

    intresting, it is a never-ending cat and mouse game, im working ong a program that generates random CAPTCHA …if intrested let me know.
    Dog-mn

    Reply
  • Mark S November 2, 2008 7:37AM

    It’s a total waste of time deploying captchas if it’s to block automatic forms submission. You should use plain html instead. It is completely transparent to your human visitors no crossed images and no active content, no jscripts or the like.

    what’s this with the captchas anyways? another marketing opportunity? If forms aren’t complex enough, lets add some extra lousy input boxes and images, maybe they’ll attract more visitors right?

    Reply
  • Alex October 24, 2008 9:14PM

    Xrumer and other programs for spam will die only when search engines will refuse link popularity. Thanks for interesting article.

    Reply
  • Simon Hunt October 14, 2008 7:41AM

    Very interesting article!

    Reply
  • Capri October 13, 2008 7:11PM

    Visual image captchas are bad. They block out and discriminate against visually impaired users, punishing them as spammers.

    Visual verification that requires you to enter characters in an image you see, or answer a question about what’s in an image you see, blocks out anyone with a visual impairment.

    Clicking to get a larger image displayed does nothing at all for people with severe vision impairments who cannot even read large print.

    Audio captchas are becoming available on a growing number of sites, but even they aren’t good enough. The deaf-blind use braille displays and cannot see a picture or hear a corresponding sound.

    Captchas force the blind to surrendor what independence they once had on site registration and forms, reducing them to begging a sighted person or site admin for help in account creation, form submittal, group creation, anywhere there is a manditory visual verification code.

    As if that wasn’t bad enough, Many of these captcha-using sites add further insult to the visually impaired when they demand you to prove you are human by entering in a visual code. If you are blind and you cannot see an image, does that disqualify you as a member of the human race? According to captcha, yes!

    This is not a tiny little inconvenience that occurs every once in a blue moon, but an ongoing, day to day problem. Trying to register, make comments, create groups, or fill out any form to completion is a crapshoot if you are visually impaired. If you are on your own, trying to make a submission on a site and you are pressed for time, you are completely out of hope when you run up against a captcha and there is no one you can get to help you.. Site administrators may or may not have time or the desire to help you.

    When you find yourself running up against this cyber face-slapping half or more than half the time you try to make submissions to various sites, it is demoralizing. You are told again and again that you are not welcome, you are not human, forced to pester a site administrator or someone else for help with something you could do on your own before, and as far as the site administration goes, you do not exist and are not worth consideration.

    It’s infuriating and a threat to the dignity of people who are at the mercy of visual verification captchas.

    In addition to blind users having the door shut in their faces at sites that use visual captchas, It is evident that spam problems still occur as much as ever on sites that use captchas, proving captcha to be a cure that’s worse than the disease.

    If a site administrator feels so strongly that they must employ a captcha, there is a newer, truly accessible variety that should be more effective. It prompts you with a question in text format and requires you to fill in the answer. the questions should not require a person to be able to see an image to answer.

    Bad examples: Which number in the picture is red?” “Which animal in the picture above has four legs?” How is someone who can’t read print and has to rely on a screenreader supposed to know that?

    Good examples: “How many legs does a cat have?” “What’s 2+2?” Math questions can be asked in a number of different ways to hault a bot and still be accessible to a user. “What’s 6 divided by 2?” What’s 5 added to 3?” Even “What color is an orange?” is still a good example, because everyone except the bots, sighted or not, knows the answer.

    Reply