I've blogged about broken CAPTCHA's in the past, but I thought I'd touch on it again. Websense is reporting on their discovery that a new botnet is breaking Hotmail's CAPTCHA in order to send out spam. It really is a nice report and demonstrates the sophistication of this particular strain. Some highlights from the report:
- The bot hooks itself into Internet Explorer on the victim's machine.
- The bot consistently tries-breaks, tries-breaks, tries-breaks, etc.
- The CAPTCHA images are collected as hidden files from the victim's machine during different sign-up attempts.
- Once broken for a variety of accounts, the bot carries out the mass mailing through a variety of accounts.
From the report:
Stage 1: One in every 8 to 10 attempts to signup a hotmail account are successful. Hence success rate approximately ranges between 10 to 15%.
Stage 2: Spam campaigns from one Hotmail account is sent to multiple accounts in CC and BCC lists at a time. The same Hotmail account (or “from account/ address”) is not repeatedly used for sending spam campaigns continuously. They are changed in timely fashion by the bot. The same is the case with targeted accounts (or “to account(s)/ addresses) for spamming.
The total response time for CAPTCHA breaking averages about 6 seconds.
Even though spammers are my mortal enemy (along with milkshakes, which have a habit of making my stomach sick), this method of spamming is one of the more elegant solutions. It's not just Hotmail that need worry, all of the other players like Yahoo and Gmail are potential targets.