Eau Claire Wisconsin real estate agent realtor
Eau Claire
Wisconsin Real Estate Agent & Realtor® Shane O'Gorman
The
commonplace method of
putting a CAPTCHA (those annoying things that ask you if you are a
human and type little weird characters) has been basically rendered
useless. The purpose of the CAPTCHA was to prevent a simple script
(bot) from accessing your blog, email, bank account, etc. Well it
seems someone with some time on their hands and lots of low cost
labor (?? million people employed in India) have found the anti-spam
countermeasures quite easily defeated.
I
highlighted a few key
areas in this
story.
The decline in CAPTCHA
efficacy has been an
ongoing
story in 2008, as hackers and malware authors have steadily found
ways to chip away at the protection these security practices were
once thought to offer.
Now, new findings indicate that both Gmail and Windows Live Hotmail
have been compromised again, this time via a more-streamlined attack
process. With two of the largest webmail providers once again
vulnerable, CAPTCHAs clearly aren't meeting the security needs of
either company, and it may be time to reevaluate the use of them
altogether.
Gmail defeated
The latest bad news for
Google comes courtesy
of the malware team in charge of the XRumer project. XRumer is a
blogspam tool that's particularly good at what it does, and is
capable of fooling multiple CAPTCHA systems. Once it successfully
registers, XRumer may take steps to avoid human detection by first
posting an innocuous question regarding a specific product or
service. The point of all the subterfuge is to boost the Google page
rank of a site by bombarding multiple forums with product/service
mentions and discussions. Users that can be tricked into posting
their own links (perhaps in an attempt to demonstrate where a product
may be found) only help the program perform its primary
function.
And Hotmail too
As for Windows Live
Hotmail, Websense Security
Labs has put together a step-by-step demonstration
of how an existing automated anti-CAPTCHA bot goes about its
business. The bot begins by hooking itself to Internet Explorer and
communicating with the Hotmail sign-up servers. The anti-CAPTCHA
software is prepackaged with a list of account names, which it
attempts to use as the first step of the account creation process.
Said list is presumably updated regularly, with successful accounts
noted and unacceptable/pre-existing accounts scratched off. Our
little darling of a program then spins off a second instance of
IEXPLORE.EXE, and attempts to connect with the actual
CAPTCHA-breaking host. As we've previously discussed,
CAPTCHA-breaking is a huge business in nations like India, where
workers will input thousands of CAPTCHAs per day in exchange for a
minuscule amount of money per CAPTCHA successfully decoded.
Websense reports that the
bot in question
successfully creates a Hotmail account once out of every eight to ten
tries. If we were talking about a small group of people, such a low
success rate might not be worth the trouble, but the larger
organizations in India are advertising themselves as capable of
breaking 700,000 CAPTCHAs (or more) per day. Lower numbers, in the
25,000-50,000 range are more common, but even if we start at just
25,000 and take a 10 percent success rate, that's still one small
company churning out 2,500 successful e-mail spam accounts per day.
Start ramping even that minimum estimate up by the number of
CAPTCHA-breakers in India and the growing popularity of the field
(Surprise: "Ralph," in customer service over at Dell
doesn't like talking to you,
either), and a one-of-eight to one-of-ten crack rate starts looking
pretty good. Longer term, that rate is only headed up.
You
can read the full article
here.
This is scary stuff. It seems
there is good money in
spamming blogs. I guess for most people it seems stupid why they
would be bothering but when you think about it, they are after your
blog for the back links. Its free advertising for them and its
effective.
I would carefully read this
article in its entirety
and seriously consider another method of security. Your blog is not
safe. Nor is your website. Nor is anything they want to get into that
uses CAPTCHA as security.
Also watch out for spam mails.
Gmail used to be
considered trusted, but with the ability to generate thousands of
accounts in a day... Hello Spam!
Search
Eau Claire Wisconsin Real Estate!
Read my Eau Claire Wisconsin
Real Estate blog!
;)
;)
Very interesting. Who would have thought this would be big business!