Skip to navigation
   
Davey Winder's Blog
RSS

Hotmail CAPTCHA: cracked in 20 seconds

By Davey Winder in Editorial

Posted in Data Protection, Spam, Security, Microsoft on February 18, 2009 at 12:12 am

Permalink | Author Profile

Although many people would like you to believe otherwise, the Completely Automated Public Turing test to tell Computers and Humans Apart (better known as CAPTCHA) is not foolproof. Yahoo! knows this, Google knows this, and now it would look like Microsoft knows it as well.

According to security researcher Sumeet Prasad at Websense the Microsoft Live Hotmail service CAPTCHA system has been busted wide open.

This is made all the more embarrassing for Microsoft courtesy of one small detail: just a few short months ago Microsoft had redesigned the CAPTCHA authentication it uses in order to prevent automated bot registration.

According to Websense “As the latest attack shows, those efforts have failed.” Its research suggests that the kind of anti-CAPTCHA attacks Microsoft is feeling are part of a strategy of escalation on the part of the spammer gangs in order to ensure that they can continue to exploit Microsoft branding and trust in order to sell their wares.

Worryingly, it appears that this latest attack is not the usual automated bot account creation system using command and control templates, but instead a much more sophisticated effort involving automated but encrypted communications between the spammer bots and compromised machines in order to secure the cracking attempts. Well, I say attempts but I mean successes. According to Prasad the success rate in converting a CAPTCHA cracking attempt into a fully active Live Hotmail account is as high as 20 percent. That’s one in every five attempts being successful.

If that were not frightening enough, it takes just 20 seconds from start to finish to do the cracking.

A full step by step expose of the technology and techniques employed can be found here.

12345
Rated: 100% (1 votes)
Loading ... Loading ...

Previous Post | Next Post

 
 
Comments

Comment by Emily - March 19, 2009 on 10:09 am

Whythey have changed the CAPTCHA system… what’s the reason… how to crack hotmail CAPTCHA…

Comment by Emily - March 19, 2009 on 10:10 am

Why they have changed the CAPTCHA system… what’s the reason… how to crack hotmail CAPTCHA…

Pingback by IT PRO: Blogs: Davey Winder: Decoding Captchas with OCR - October 5, 2009 on 11:56 pm

[…] fell victim to spammer gang hacking attention earlier in the year. I wrote a piece on IT Pro called Hotmail CAPTCHA: cracked in 20 seconds at the […]

Comment by buy anabol tablets - April 2, 2011 on 5:26 pm

Sounds good, I like to read your blog, just added to my favorites ;)

Comment by forex automoney reviews - April 8, 2011 on 8:40 pm

As a Newbie, I am always searching online for articles that can help me. Thank you Wow! Thank you! I always wanted to write in my site something like that. Can I take part of your post to my blog?

Make a comment

* required

* required

We stop spam using reCaptcha.
Type the words below and click Submit Comment.

   
Tag cloud

management USA CAPTCHA Opinion biometrics Internet network Psion DNS acquisition theft Google Palm sick code Death hoax monetisation law crime millions Google Earth man-in-the-middle xmas Microchip Banned Application Study recession lawsuit Rumour avatar fun payments news data Big Brother console Eee world of warcraft Backlash Digg web 2.0 Digital Footprint Advertising Johnny Depp snooping Marketing NASA e fool Software malware terrorism staffing cloud Android students mobile chips Eee PC Porn data protection Harry Potter productivity VeriSign computer disclosure Retail worker Programming survey universe Mobile Phones EU Trousers dumb scareware debian spending rootkits Texting Palm Pre IDC iPhone 3G iPad green Children Conference storage Amazon Review services Project Top 500 work Election holidays smartphone Dell App Store Experiment Space prison meme Employment outsourcing Zango MessageLabs Firefox information Flash Performance computing Internet Explorer Jobs Enterprise Jesus Phone Guardian Kill Switch IP books Research computers memory InfoSec symantec SMS YouTube RATM Hack Windows digitise NBC Madness money Kindle Silverlight Pirate Bill Gates Mobile Phone Data Centre nightmare mail GMail MSNBC privacy iPhone VM patch management Facebook Apple Notebooks ISPA museum development compromise Funny GSM Beta Ballmer Licensing Parenting Developers report McKinnon Architecture e-commerce Top 10 virtualisation transactional security SSL Twitter Blog credit card fraud poll Sony Olympics Press global stupidity hypervisor App exploit ecommerce games service BOFH Acer christmas hardware teleworking policy Michael Jackson open source iPhone 3GS tax carbon copy Kaspersky Music hubdub Europe politics China fake Recall BSI Voice Finjan Mafia gaming Browser Windows Phone 7 Series Nexus Mars School Army economics RAM hacker library MiniBook Government Paris Hilton web FBI size innovation OCR Health banking technology parental control botnet Psychic eBook OS support Steve Jobs admin environment betting campaign ID Theft archiving Tesco virtual machine President black hat Deal banks Energy help tech Russia AMD scan Geeks graphics Education Meh Windows 7 Vista virtual world trust broadband statistics football credit crunch linkedin ROFL remote working Netbook payment server VPN Media IT Intel phishing ASUS Steve Ballmer earth hour Linux Rant documentation Lotus adware stupid computing remote HPC Networks Patents science Obama Trojan Kin Texas Instruments email scam Game Scotland MSN XP Gartner home family IBM search Blogging ISP Gadget iPod Cisco Sex security standards spam HP patent Browsers workplace Apps Adobe migration Battery Supercomputer surveys fraud wifi shopping Microsoft Nintendo Web Development desktop economy The Federation virus Spotify Noro Gateway office worm hacking Military Video second life encryption printing gadgets copyright Addiction social networking PS3 Business Yahoo Analysis
Advertisement

   
Archives

   
Most commented posts

   
Highest Rated Blog Posts

Advertisement