Cracking CAPTCHA: Another Russian Business
Friday October 10, 2008 at 11:37 am CST
Posted by Francois Paget
We’ve already written about CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), the mechanism used to protect web sites, forums, and mailing systems against the automatic creation of accounts and contents. As my colleague Tad Heppner wrote in his November 2007 post, most common CAPTCHA systems work by generating distorted characters, text, or pictures that can be easily recognized by the human brain but present significant difficulty for computer-based optical character recognition or other image-recognition systems.
It should come as no surprise, however, that spammers continue to try to crack CAPTCHA. We’ve now seen a new version of a professional spammer tool on the web. XRumer 5 sells for $520 and promises advanced CAPTCHA decoding methods.
For a long time spammers have searched to defeat CAPTCHA mechanisms to create fake email accounts to send spam. Before telling you more about this new crooked utility, let’s review some older techniques used by spammers.
As shown in the following image (source XMCO), the most common CAPTCHA methods can be broken.
The first method of cracking is manual. People from developing countries offer services. The competition is intense. On some dedicated forums, proposals surge in from Vietnam or Bangladesh. They claim that lots of people are ready to work 24 hours a day to process hundred of thousands of CAPTCHA. Rates vary from $8 to $1 per 1,000 CAPTCHA.
A less expensive solution consists in using private individuals to do the work free of charge. I am sure some readers remember this unusual offer, in which it was possible to undress “Melissa” in exchange for some CAPTCHA work. This allowed a spammer to create fake Yahoo Mail accounts.
It is also possible to find free web services. The CAPTCHA Killer web site offers such services. Its designer claims the offer “is 100% focused on increasing accessibility on the Internet” for the “1 Million Americans that suffer from blindness.” The service makes available an API to automate the process. However, I was not surprised to read a cross-reference on that site saying they have been notified that using CAPTCHA Killer with Myspace was against the latter’s Terms of Service.
A very technical approach uses rainbow tables, in which each CAPTCHA image is associated with its character string. In March 2008, someone nicknamed Maluc created PHP scripts to download, extract, and save thousands CAPTCHA images from Yahoo, Google, and Hotmail. When finished, each collection will help spammers create new recognition tables or verify the accuracy of its OCR algorithm. When successful, only one millisecond is needed to compare a new footprint with the ones included in the database. You have to pay between $1,500 and $5,000 for such algorithms, which suppress the noise, create a black-and-white picture, break it into segments (one letter per segment), and identify the character.
A programmer called Wangrun in the Chinese province of Anhui says he developed software to decode CAPTCHA systems. Depending on the complexity of the CAPTCHA image, he charges between $500 and $6,000 per decoder. No price is quoted for the most difficult images but, in a comment, he writes it is feasible. Wangrun declines to say what his customers use the decoders for, but says he has “very many” of them.
Spammers can also use zombie machines to help them crack CAPTCHA. We’ve read on the Virus Bulletin web site that compromised systems making up a large botnet were recently used to help in the registration process for Windows Live Mail accounts. When the bot (detected by VirusScan as Generix.dx) asked for registration, it received a CAPTCHA and immediately presented its image to a central server that attempted to decode it and returned the result. The decipher technique was successful only around 35 percent of the time, VB said, but a new idea was launched. The fact that large numbers of infected systems were running repeated attempts suggests a high number of new accounts for spamming were created at that time.
Finally, turnkey tools are another method for defeating CAPTCHA defenses. XRumer 5 is one of them. It can flood message and links forums, guestbooks, blogs, wikis, etc. It automatically finds and fills in required fields with no need of a browser. If the forum requires registration, the program will register, log in, and post the spammer text. XRumer goes beyond JavaScript protection, pictocode protection (typing a number displayed in a box), and protection by e-mail activation. If a CAPTCHA image is detected, the program automatically downloads it, analyzes it, and fills in the form.
Version 5 can work on most recent versions of popular engines such as VBulletin, IPB, and phpBB, according to its creator. XRumer can also create accounts on gmail.com for posting. And its clients seem happy. One of them wrote last week on a forum “all that for only $500? It’s very cheap! I’d easily charge 2k for that. Solving gmail captcha is no joke. I paid 4k just for that from an OCR developer. …”
XRumer is also able to solve the “pick the cat captchas” presented in picture below.
On October 3, XRumer’s maker explained he analyzed many forums and discovered that most of this type of CAPTCHA used identical pictures. Thus XRumer can distinguish them by their sizes in bytes. And it concludes: “It’s so easy, isn’t it? Oh, they can make some distortion on images? Well, we have a time to improve our algorithm. We analyze forums, blogs, guestbooks permanently, and there is one important thing: that type of captchas used not more than 0,01% of resources (1 of 10,000 sites).”
Once again, we are reminded that malware design is a business. And once again, my searches drive me to Russia, where criminals create and employ malicious software as well as engage in identity theft and virtual prostitution. The company or individual behind XRumer appears to be the same as that which proposed an automated sex-talk service called CyberLover.ru in 2007. One name I got from a whois request today is Alexander Ryabchenko. When the media pointed the finger at him in 2007, Ryabchenko emailed to Reuters that he could not be accused of identity theft with the CyberLover concept. He explained “the program can find no more information than the user is prepared to provide.”
If anyone should ask Ryabchenko why he commercializes XRumer, I suggest he repeat the CAPTCHA Killer web site argument: to help the million people suffering from blindness.
October 13th, 2008 at 10:12 am
[…] found a really interesting (and exstremelly scary) article at Advert Labs. Read it you […]
October 13th, 2008 at 7:11 pm
Visual image captchas are bad. They block out and discriminate against visually impaired users, punishing them as spammers.
Visual verification that requires you to enter characters in an image you see, or answer a question about what’s in an image you see, blocks out anyone with a visual impairment.
Clicking to get a larger image displayed does nothing at all for people with severe vision impairments who cannot even read large print.
Audio captchas are becoming available on a growing number of sites, but even they aren’t good enough. The deaf-blind use braille displays and cannot see a picture or hear a corresponding sound.
Captchas force the blind to surrendor what independence they once had on site registration and forms, reducing them to begging a sighted person or site admin for help in account creation, form submittal, group creation, anywhere there is a manditory visual verification code.
As if that wasn’t bad enough, Many of these captcha-using sites add further insult to the visually impaired when they demand you to prove you are human by entering in a visual code. If you are blind and you cannot see an image, does that disqualify you as a member of the human race? According to captcha, yes!
This is not a tiny little inconvenience that occurs every once in a blue moon, but an ongoing, day to day problem. Trying to register, make comments, create groups, or fill out any form to completion is a crapshoot if you are visually impaired. If you are on your own, trying to make a submission on a site and you are pressed for time, you are completely out of hope when you run up against a captcha and there is no one you can get to help you.. Site administrators may or may not have time or the desire to help you.
When you find yourself running up against this cyber face-slapping half or more than half the time you try to make submissions to various sites, it is demoralizing. You are told again and again that you are not welcome, you are not human, forced to pester a site administrator or someone else for help with something you could do on your own before, and as far as the site administration goes, you do not exist and are not worth consideration.
It’s infuriating and a threat to the dignity of people who are at the mercy of visual verification captchas.
In addition to blind users having the door shut in their faces at sites that use visual captchas, It is evident that spam problems still occur as much as ever on sites that use captchas, proving captcha to be a cure that’s worse than the disease.
If a site administrator feels so strongly that they must employ a captcha, there is a newer, truly accessible variety that should be more effective. It prompts you with a question in text format and requires you to fill in the answer. the questions should not require a person to be able to see an image to answer.
Bad examples: Which number in the picture is red?” “Which animal in the picture above has four legs?” How is someone who can’t read print and has to rely on a screenreader supposed to know that?
Good examples: “How many legs does a cat have?” “What’s 2+2?” Math questions can be asked in a number of different ways to hault a bot and still be accessible to a user. “What’s 6 divided by 2?” What’s 5 added to 3?” Even “What color is an orange?” is still a good example, because everyone except the bots, sighted or not, knows the answer.
October 14th, 2008 at 4:05 am
[…] McAfee hat eine neue Version des Spammer-Tools “XRumer” entdeckt, die neben Captcha-Bildrtseln gngiger Forensoftware auch die von Googles Webmail-Dienst knacken soll. Rund 500 Dollar seien ein Kampfpreis fr die Cyber-Unterwelt, denn andere Anbieter verlangten teils tausende Dollar fr einen Algorithmus, der nur Captchas eines Internetangebots lsen knne, erklrt Francois Paget von den McAfee Avert Labs in deren Forschungsblog. […]
October 14th, 2008 at 4:26 am
[…] eines Internetangebots lsen knne, erklrt Francois Paget von den McAfee Avert Labs in deren Forschungsblog. "Programme, um Captchas automatisch zu analysieren, gibt es seit etwa eineinhalb […]
October 14th, 2008 at 7:41 am
Very interesting article!
October 24th, 2008 at 9:14 pm
Xrumer and other programs for spam will die only when search engines will refuse link popularity. Thanks for interesting article.
November 2nd, 2008 at 7:37 am
It’s a total waste of time deploying captchas if it’s to block automatic forms submission. You should use plain html instead. It is completely transparent to your human visitors no crossed images and no active content, no jscripts or the like.
what’s this with the captchas anyways? another marketing opportunity? If forms aren’t complex enough, lets add some extra lousy input boxes and images, maybe they’ll attract more visitors right?
November 15th, 2008 at 7:10 pm
intresting, it is a never-ending cat and mouse game, im working ong a program that generates random CAPTCHA …if intrested let me know.
Dog-mn
November 17th, 2008 at 2:51 pm
here is another captcha killer
http://www.captchabot.com