blogs.zdnet.com/security/?p=1418
do-it-yourself CAPTCHA breaking services, and proprietary underground tools assisting spammers, phishers and malware authors into registering hundreds of thousands of bogus accounts for spamming and fraudulent purposes. Gmail, Yahoo and Hotmail's CAPTCHA broken by spammers This post intends to make this official, by covering an underground service offering thousands of already registered Gmail, Yahoo and Hotmail accounts for sale, with new ones registered every second clearly indicating the success rate of their CAPTCHA breaking capabilities at these services. Monitoring the service for over a month now, revealed that during the period its "inventory of automatically registered email accounts" was emptying itself, then restoring to its current position - in the thousands, with 1 to 2 new accounts registered per second. Moreover, it's important to point out that compared to situations where scammers are scamming the scammers, these people "deliver the goods" that they promise. Last week, they've also started offering Hotmail and Yahoo email accounts, again in the thousands. For the time being, there are 134, 670 Gmail accounts available for purchase, as well as 42,893 Hotmail, and 10,847 Yahoo email accounts. There's naturally a price discrimination applied, for instance, if you're buying up to 10k Gmail accounts, the price for 1k would be $6, from 10k to 100k the price drops to $5 for 1k, and if you're going to buy over 100k accounts, the price would be $4 for 1k.
Microsoft's CAPTCHAs, the incentives for malicious parties to start efficiently breaking it and build a business model on the top of this seem to have prevailed.
Gmail, Yahoo and Hotmail's CAPTCHA broken by spammers MSN/Passport and Yahoo version 2 HIPs, it is also two color. The HIP characters are arranged closed to one another (they often touch) and follow a curved baseline. The following very simple attack was used to segment Google HIPs: Convert to grayscale, up-sample, threshold and separate connected components. This can be significantly improved upon by judicious use of dilate-erode attack. A direct application doesn't do as well as it did on the ticketmaster and yahoo HIPs (because of the shear and warp of the baseline of the word). More successful and complicated attacks might estimate and counter the shear and warp of the baseline to achieve better success rates."
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and E-crime incident response. Dancho is also involved in business development, marketing research and competitive intelligence as an independent contractor.
I think it's more of a design issue than a personnel problem. Give them good tools to work with and watch things change. Let everyone have their own path and watch the chaos....
Latest Topics: Running virtual machines and DHCP can cause Intel AMT to be inaccessible; Wildcard certificates are currently not supported for remote; Dell 755 returns a duplicate UUID during activation configuration.
The Cisco Mobility Resource Center offers FREE videos, downloads, podcasts and more, all designed to help small and medium businesses get mobile connectivity solutions, improve productivity and drive sales and revenue.
At the Cleantech Forum in San Francisco, Todd Glass of Heller Ehrman moderates a discussion, among tech execs, on the various solar technologies making a difference in the green movement.
|