Skip to navigation
   
Davey Winder's Blog
RSS

Hotmail CAPTCHA: cracked in 20 seconds

By Davey Winder in Editorial

Posted in Data Protection, Spam, Security, Microsoft on February 18, 2009 at 12:12 am

Permalink | Author Profile

Although many people would like you to believe otherwise, the Completely Automated Public Turing test to tell Computers and Humans Apart (better known as CAPTCHA) is not foolproof. Yahoo! knows this, Google knows this, and now it would look like Microsoft knows it as well.

According to security researcher Sumeet Prasad at Websense the Microsoft Live Hotmail service CAPTCHA system has been busted wide open.

This is made all the more embarrassing for Microsoft courtesy of one small detail: just a few short months ago Microsoft had redesigned the CAPTCHA authentication it uses in order to prevent automated bot registration.

According to Websense “As the latest attack shows, those efforts have failed.” Its research suggests that the kind of anti-CAPTCHA attacks Microsoft is feeling are part of a strategy of escalation on the part of the spammer gangs in order to ensure that they can continue to exploit Microsoft branding and trust in order to sell their wares.

Worryingly, it appears that this latest attack is not the usual automated bot account creation system using command and control templates, but instead a much more sophisticated effort involving automated but encrypted communications between the spammer bots and compromised machines in order to secure the cracking attempts. Well, I say attempts but I mean successes. According to Prasad the success rate in converting a CAPTCHA cracking attempt into a fully active Live Hotmail account is as high as 20 percent. That’s one in every five attempts being successful.

If that were not frightening enough, it takes just 20 seconds from start to finish to do the cracking.

A full step by step expose of the technology and techniques employed can be found here.

12345
Rated: 100% (1 votes)
Loading ... Loading ...

Previous Post | Next Post

 
 
Comments

Comment by Emily - March 19, 2009 on 10:09 am

Whythey have changed the CAPTCHA system… what’s the reason… how to crack hotmail CAPTCHA…

Comment by Emily - March 19, 2009 on 10:10 am

Why they have changed the CAPTCHA system… what’s the reason… how to crack hotmail CAPTCHA…

Pingback by IT PRO: Blogs: Davey Winder: Decoding Captchas with OCR - October 5, 2009 on 11:56 pm

[…] fell victim to spammer gang hacking attention earlier in the year. I wrote a piece on IT Pro called Hotmail CAPTCHA: cracked in 20 seconds at the […]

Make a comment

* required

* required

We stop spam using reCaptcha.
Type the words below and click Submit Comment.

   
Tag cloud

virtual machine iPhone 3G books Johnny Depp stupidity Study work Military Big Brother Sony copyright Funny Windows 7 Russia theft Psychic fraud MessageLabs Adobe Architecture virtualisation Netbook Marketing broadband OCR computer desktop wifi Browsers Android memory help shopping Children Kaspersky Psion biometrics BOFH iPod virus Top 10 banks management Facebook Backlash Windows SMS IT code encryption Harry Potter black hat Voice documentation hoax hubdub policy mail monetisation Twitter family Spotify hacker search Retail Digital Footprint innovation meme snooping politics Internet Madness NASA open source graphics betting data protection data hacking President Kin terrorism MSNBC Licensing phishing holidays Developers IDC spam rootkits development library Analysis Microsoft report gaming Project USA Amazon virtual world museum DNS Apple Paris Hilton HP Guardian Jobs App Store Google Earth Vista Nexus Porn The Federation iPhone 3GS China XP Mafia Europe GMail Space Addiction environment Opinion Noro staffing services security Silverlight Mars Palm Pre network office Blogging Nintendo Dell prison Eee PC sick RATM dumb Pirate EU Mobile Phone Gadget Palm surveys App email Software Digg productivity teleworking size campaign scan Yahoo Press patent Gateway malware information storage Sex Geeks support Google MiniBook printing carbon copy admin outsourcing second life Recall ASUS migration chips ecommerce Linux survey world of warcraft statistics Death linkedin InfoSec Olympics hypervisor Microchip service acquisition payment server YouTube Employment scareware universe School patch management VeriSign Application Gartner home Eee Web Development disclosure OS games Obama iPhone Trojan SSL Kill Switch Election ISPA nightmare Deal ISP Game football Steve Ballmer Business christmas Bill Gates Scotland Rumour web 2.0 social networking tax IP Cisco privacy exploit iPad banking RAM Meh Lotus Video debian Energy standards Beta Windows Phone 7 Series Rant Flash earth hour Trousers Top 500 Education payments scam MSN Firefox crime xmas Parenting PS3 e-commerce credit card fraud spending Michael Jackson man-in-the-middle worker workplace tech Music NBC mobile cloud VPN Mobile Phones millions money botnet Kindle economy web Networks Texas Instruments technology global avatar Texting HPC Review Research Data Centre CAPTCHA smartphone Apps Jesus Phone Zango hardware ROFL FBI transactional security green GSM Banned worm McKinnon e Conference digitise news console compromise Government law computers Tesco fun remote working gadgets recession Enterprise Media remote Blog students parental control Acer Programming ID Theft Steve Jobs lawsuit Browser economics science trust BSI credit crunch Internet Explorer Intel fake AMD Finjan computing Experiment symantec adware Supercomputer archiving stupid Battery Advertising eBook Army Patents fool Ballmer poll Hack VM Performance computing Health IBM Notebooks
Advertisement

   
Archives

   
Most commented posts

   
Highest Rated Blog Posts

Advertisement