Wednesday, February 27, 2008

Gmail Captcha Broken by Spammers!

CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) challenge-response systems, which prevents automatic creation of accounts/ or automatic posting of messages. It involves a user (human) to correctly identify letters/digits in the form of an image. These are designed to ensure requests are made by a human rather than an automated program/software. The technique has been used to defeat automatic sign-ups to email accounts by services including Yahoo! Mail and Gmail, and has been the nail-biting challenges for hackers.

Recently, I got the news that Spammers have broken the system at Gmail. Recently the success of cracking the Windows Live captcha used by Hotmail was also reported. If they keep being successful at it, then we will be having a huge percentage rise in spam. The main worries are being the reason that nearly no spam blocker will identify and blacklist it as “spam”.

Internet security firm Websense reported bots have been created which are capable of signing up and creating random Gmail accounts for spamming purposes, defeating Captcha-based defences in the process.

Websense considers the latest Gmail Captcha hack to be the most sophisticated one it has seen to date. Live Mail Captcha breaking involved just one zombie host doing the entire job, the Gmail breaking process involves two hosts. One to try, and another to monitor the success. The two compromised hosts applies a slightly different technique to analyse Captcha.

They have reported that only one in every five Captcha-breaking attempts is successful. It seems to be low, but that's more if we consider millions of automated attacks.