Stripping for CAPTCHAs

Spammers want email accounts. Free email services like Yahoo! Mail, GMail, and Windows Live Hotmail want to give people free email accounts, but they don’t want to help spammers. Thus, they try to make sure that it is easy for one person to sign up for an email account, but hard for a spam system to sign up for 1000 email accounts.

Thus, when you sign up for an email account, such as on this Yahoo! page, you’re required to complete a CAPTCHA (“Completely Automated Public Turing test to tell Computers and Humans Apart”; the acronym probably came first) to prove you’re not a computer. These are relatively easy for humans to read, but relatively difficult for computers to — although as OCR software gets better at reading them, they get harder and harder for people to read. Eventually these will stop working altogether when the crossover error rate for computers reading them is equal to or lower than the one for humans, though this is a good way off. We’re already at the point where when a major online service increases their CAPTCHA difficulty, they notice a significant drop-off in sign-ups as users find themselves unable to complete them (many users, if they can’t complete it in 1-2 tries, consider it to be not worth the effort and go on to another site.)

In the meantime, though, spammers keep trying to find ways to bypass them. Automation doesn’t work so well — that being the whole point — so they’ve come up with rather innovative ways to do this.

One option: just pay people to solve them for you. Spamming makes money. One email account can send thousands of spams before being shut down. In the global economy, you can hire someone for $0.60/hr. to solve CAPTCHAs for you without asking questions like “why are you doing this?” At $50/week, you can have all the email accounts you need to make rather more than $50 sending spam.

A newer option: make people think it’s a game. Yes, there’s a piece of malware floating around that has a digitized woman stripping for CAPTCHAs. It’s like digital strip poker, only instead of winning a hand of cards you just have to correctly answer a CAPTCHA. You fill them out, the app signs up for an email account and sends it to the spammer, and it shows you porn. It’s considered malware (Trend Micro calls it TROJ_CAPTCHAR.A) because it’s being used for spamming, but the app does exactly what it says it does — it doesn’t harm its user, it just helps spammers in the background.

Of course, in a sense CAPTCHA is still serving its purpose — it is stopping purely automated attacks. Neither paying people nor tricking them with porn games scales nearly as well as straight automation — without a CAPTCHA you could create thousands of email accounts per hour rather than per week. However, it still serves as a good illustration of the ingenuity of attackers, and the fact that no countermeasure makes an app “secure” — they make it secure from something. In this case, with pure automation foreclosed to them, attackers have simply found an end-run around the problem. CAPTCHAs are dependent on making it not worth the spammer’s time to fake sign-ups, and in that they succeed… where they fail is that some other people value their time far less than spammers do, and spammers are learning to exploit that fact.

attacks, spam

If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.