Websense says that hackers have streamlined their anti-CAPTCHA tools and can attack Microsoft's Live Hotmail service in about 6 seconds.
Websense has been on the CAPTCHA case for a while and the latest <http://securitylabs.websense.com/content/Blogs/3063.aspx> attack on Microsoft's Hotmail is an evolutionary leap because hackers' tools are automated and operating almost instantaneously. CAPTCHAs are viewed as a spam defense and a way to distinguish humans and computers. Google says <http://blogs.zdnet.com/security/?p=952> CAPTCHAs are still useful, but others beg to differ <http://blogs.zdnet.com/security/?p=903> . The steps of the CAPTCHA eluding attack are similar to previous attacks, according to Websense. A bot hooks into Internet Explorer, observes account names, uses IE to sign up for Hotmail accounts, grabs CAPTCHA and breaks it, creates multiple accounts and then spams away. The big difference: "Unlike Live Mail Anti-CAPTCHA and Gmail Anti-CAPTCHA operations in the past, the current attack is aggressive and instantaneous in terms of CAPTCHA breaking host turn-around time," said Websense. Total response time? Six seconds. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Thursday, April 10, 2008 9:04 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] form spam filter Hi Matt, Parsing CAPTCHA essentially means OCR. OCR in general would be CPU-intensive. Spammers are using such techniques for Yahoo, Hotmail, and Gmail due to the high value in a process that gets them success in creating new email accounts to spam from. However, it's important to note that their success rate is 20-33% in hacking CAPTCHA. For a feedback or such form on a customer website that only emails the website owner (which is the problem we were faced with), the value is probably not high enough for a spammer to expend the CPU to break in 1 in 3 or 1 in 5 tries, or even 1 in 1 for that matter. However, that will most likely change as CPU continues to get faster and less expensive. Certainly fully processing Javascript/CSS would be difficult, but it's not necessary. As I mentioned, scripting/testing tools are around that allow a spammer to quickly and easily generate a script for a particular site. Yes, they would have to do this one site at a time, but it would be the easiest way to approach it. Once done, they would not have to redo it unless the page changed, which they could monitor. For example, the hidden DIV with fields would have been broken very quickly by spammers on the free email account sites. CAPTCHA took a lot longer, and success is limited. That in itself is testimony to the effectiveness of CAPTCHA. Good point about using a non-standard means to secure a form. My concern about your method is that it will fail with some of auto-fill procedures I've seen, where CAPTCHA hasn't. The other problem with non-standard approaches is that success typically results in popularity... thus eventually becoming losing it's non-standard status. Once known, it is easily bypassed, and as mentioned tools are available to defeat it now. Because of this, I would rather depend on technical soundness than a trick that can be easily defeated. Since no method is fool-proof, to raise the level of security on a form perhaps we should apply multiple techniques to secure it, as is a general best-practice in the security industry. As usual, the level of security required depends on the value received from breaking it. So, it's a judgement call by the website owner as to the level(s) of security to apply. Agreed that CAPTCHA requires an extra step by the user, but given the ease of implementing CAPTCHA and its overall effectiveness, I still believe CAPTCHA is the single best method to secure a public form. Darin. ----- Original Message ----- From: Matt <mailto:[EMAIL PROTECTED]> To: declude.junkmail@declude.com Sent: Wednesday, April 09, 2008 1:04 PM Subject: Re: [Declude.JunkMail] form spam filter Note that I'm not claiming that I have the absolute best way to go about doing this, but I do have my opinions. If a form mail spamming software is going to go through the process of parsing JavaScript and CSS, it wouldn't be a leap at all to see them parsing CAPTCHA's. There is open source CAPTCHA parsing code, and it has been around for a long time, and spammers are known to use this code for at least cracking accounts at places like Hotmail and Yahoo for sometime. If I was a spammer, I would start cracking CAPTCHA's before I bothered with JavaScript and CSS. While there may very well be code out there that mimicks keystrokes and the like, spammers are not trying to hit 100%, and that's why adding DIV visibility hidden fields fools these guys. I do consider CAPTCHA's a barrier for legitimate users, and I personally feel they are a pain, especially if they are messed up enough to not be easily broken with CAPTCHA parsing code. Since this is the most common automation blocking method, it is also the most likely to fail to protect things down the line. My take is to do something custom/non-standard, and essentially reverse engineer their methods. They test forms for success, so you fool them by pretending there is success. If a simple solution like DIV visibility hidden used on extra fields that will cause the mail not to be sent, but nevertheless verified, stops working, then I would jump to other methods. They have to have a payload, so blocking URL's with JavaScript is appropriate for many contact forms, and you check for URL's in the mail sending script and pretend success if found. Again, spammers won't know the difference, and they aren't going to great lengths to obfuscate URL's currently, so that would be 100% effective, but an occasional pain for visitors who for some reason desire to send URL's. I also like some of Mark's designer's tricks, and there are tons of tricks out there that can be effective. For instance, you could use JavaScript to read the screen sizes, and if they are too small, or non-existent, you pretend success, but do not send the E-mail. The pretend success is a major component of all of these tricks, and it is easy enough to create some sort of multi-factor hurdle that is just too custom for a generic form submission program to get right. CAPTCHA's on the other hand are a burden for legitimate users, and their utility will likely disappear in time, whereas these other methods are neither a burden, nor are they likely to cease being effective. That's my take on it. Matt Darin Cox wrote: Hmmm... good idea. Though the testing/form filler tools I've seen aren't using pasting. They are generating keystrokes and targeting them into the appropriate fields. With the tools I've seen, the ability exists to put pauses in, but that would effectively restrict volume submissions for a spammer, and therefore cut down significantly on traffic. The only drawback is for forms that a user accesses multiple times and may use previously submitted data. In those cases, they might resubmit the form as-is, thus invalidating the timer. Also, note that the confirmation page is CAPTCHA. Darin. ----- Original Message ----- From: Marc Catuogno <mailto:[EMAIL PROTECTED]> To: declude.junkmail@declude.com Sent: Wednesday, April 09, 2008 12:22 PM Subject: RE: [Declude.JunkMail] form spam filter One thing we did on our domain is to ban "pasting" so that the scripts couldn't paste their info into our fields. Also I just had an idea and asked the webmaster if he could program the form to perform a different action if the form page was opened for too short of a time period. Like shoot to a second page that would ask for a confirmation click or word to be typed in. This assumes that a person would take significantly more time to fill a form than a program, even if it is a keystroke generator From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Wednesday, April 09, 2008 11:54 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] form spam filter Matt, I did understand. What I'm saying is that it doesn't always work. To clarify, in addition to less sophisticated automated form fillers that would fill out all fields, there are also more sophisticated ones that use keystroke generators to fill out forms. I just saw one in the public domain last month. CAPTCHA doesn't have this problem, would defeat those automated form fillers, and is therefore more reliable with similarly very little effort to implement. Darin. ----- Original Message ----- From: Matt <mailto:[EMAIL PROTECTED]> To: declude.junkmail@declude.com Sent: Wednesday, April 09, 2008 11:45 AM Subject: Re: [Declude.JunkMail] form spam filter No, I understood completely. I've seen forms with fields hidden by DIVs still filled out. Some of the less sophisticated spam form fillers I've seen used simply filled out every field. They were not looking to see what was "visible" and what wasn't. Actually this is the part that you misunderstood. The DIV's with visibility hidden will never be filled out by real people, but they will get filled out by form spam sending robots. So if they get filled out, you pretend the submission was successful, but you don't generate the E-mail. It's a simple trick, and it works. Matt --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
