Spammers beat new Microsoft CAPTCHA defences
By Asavin Wattanajantra,
Security firm Websense has claimed that new CAPTCHA techniques reworked by Microsoft at the end of last year have already been busted by spammers.
CAPTCHA (Completely Automated Public Turing Test to tell Computers & Humans Apart) was developed in 2000 to stop spam robots. Websense said that recent Microsoft efforts to rework it and achieve a balance between security and usability had failed.
The problem was that every time Microsoft tried to implement CAPTCHA changes to prevent spammers from breaking in and getting control of accounts, the criminals managed to adapt and beat them.
Some of the changes which Microsoft made to CAPTCHA involved disguising individual letters to prevent character recognition technology from working.
Carl Leonard, threat researcher at Websense, said that the firm wasn’t totally sure of what systems the scammers were employing to break into the CAPTCHA, but suspected that it was automated due to the success the spammers were having and the duration it was took to sign up an account.
“This particular attack is using encryption between the compromised machine and the bot server. They are aiming to go for the CAPTCHA for the same reasons as previously, piggy backing on the reputation of Live.com email accounts," he said.
“They can then use other Microsoft services such as Live Spaces to host malicious firewalls as well.”
Leonard said that Microsoft were reacting to the problem, but said compromised accounts were so valuable to spammers that they would always try and get around any new defences. As Microsoft property, security vendors could not blacklist the accounts.
Leonard said: “It’s a very difficult one. There are experiments with other types of CAPTCHA systems that don’t really just on letters.
“Perhaps using visual images, humans would be able to recognise what these were. It could be another layer to the CAPTCHA is required.”
Microsoft has not responded to a request for comment by time of writing.
You may also like...
Sponsored Links
advertisement
You may also like...
Latest Security Analysis & Insight
What is your password worth?
Would you be tempted to sell off company passwords for a fee? If not, seems like you're in the minority, acccording to research.
- Macs under attack?
- Intel: security inside
- Are you spending too much on IT security?
- Does the government want to snoop on your data?
- Eurocrats versus the cyber criminals
- The truth about spam
- Google and privacy: What’s the problem?
- Q&A: Symantec’s CISO on the source code hack
- RSA: Back from the breach?
Latest Security Reviews
Check Point 2210 Appliance review
Rating: 
advertisement
Most popular
- Apple iPad 3 vs iPad 2 head-to-head review
- Dell EqualLogic PS6100XS review
- Chromebooks: What's gone wrong?
- ICO: Fines for cookie law breakers
- UK regulator shuts down Angry Birds scam
- Open source software driving cloud-based innovation
- Fujitsu targets enterprises with Android ICS tablet
- IBM bans use of Siri on iPhones
- Dell PowerEdge R820 review
- BlackBerry 7 OS certified to carry 'Restricted' UK government information
Latest News Videos in Security
IT PRO Podcast: Are UK data protection laws flawed?
PlayWe bring in two experts to talk about the problems with UK data protection law and the way it is managed.
Register for IT PRO
You'll get exclusive member benefits including free whitepapers, downloads, Webinars and weekly newsletters full of the latest IT PRO news, reviews, insight and expertise.
