Tag Archives: captcha

Cybercriminals release automatic CAPTCHA-solving bogus Youtube account generating tool

Posted on by

By Dancho Danchev

For years, thanks to the currently mature human-driven ecosystem offering CAPTCHA-solving as a service, cybercriminals have been persistently and automatically abusing major Web properties by undermining the “chain of trust” that these properties rely on so extensively.

Still living in a world supposedly dominated by malware-infected bots, this myopia has resulted in the rise of these managed services, rendering any recent CAPTCHA “innovations” useless since they continue relying on humans – the very species that CAPTCHA is supposed to be recognizable by in the first place.

Just how easy is it to automatically register tens of thousands of bogus accounts at, let’s say, YouTube? In this post I’ll profile a recently released tool that’s relying on API keys offered by a CAPTCHA-solving services, automating the account registration process in combination with the use of malware-infected hosts as proxies.

More details:

Continue reading

New Russian service sells access to thousands of automatically registered accounts

Posted on by

By Dancho Danchev

What happens when a cybercriminal cannot efficiently gain access to thousands of working accounts at popular Web services, either through data mining a botnet’s population, or through phishing campaigns?

He’ll just start systematically abusing the legitimate services by automatically and efficiently registering thousands of bogus accounts, thanks to the easy to use India based CAPTCHA-solving operations.

In this post I’ll profile a recently launched Russian based service, offering access to thousands of automatically registered accounts at popular Russian social networking sites, and free email services.

More details:

Continue reading

Research: Google’s reCAPTCHA under fire

Posted on by

By Dancho Danchev

Who needs automated bots solving CAPTCHAs, when you have teams of low-waged humans recognizing them for pennies?

In an underground cybercrime ecosystem dominated by managed services and countless outsourcing opportunities, it’s fairly logical to assume that Google’s reCAPTCHA is under constant fire.

Just how easy is it to recognize reCAPTCHA images for malicious account registration and service abuse purposes? Let’s find out.

Continue reading

Pushu Variant Spams Hotmail, Cracks Audio Captchas

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

A new version of Trojan-Pushu is doing some interesting stuff to bypass captchas used by Microsoft’s Hotmail/Live.com/MSN webmail services in order to spam people with links to malicious Yahoo Groups pages.

The three-year-old spy (known by a variety of other aliases, including Cutwail, Pushdo, Diehard, and Rabbit) has always been, primarily, a spam bot. In this case, however, the spy is not sending spam by connecting to open mail relays or more traditional means; It’s spamming through the Hotmail/Live.com Web mail interface. Most interestingly, during the course of the spam sessions, the spy apparently pulls down “audio captchas” and successfully sends back the correct response, which permits it to continue spamming.

Audio captchas are just what they sound like they are: A voice, often female, reads a sequence of 10 numbers in an artificially noisy background. The purpose is simple: to ensure that a human being, and not some automated process, is entering data into a form. Just as you would type in the scrambled-up letters from a captcha image to proceed, with an audio captcha you have to type the correct numbers from the recording, or the site won’t let you continue.

That doesn’t seem to be a problem for this Pushu variant. We’ve seen Trojans attempt to crack visual captchas a number of ways, including using optical character recognition; employing a mechanical turk service (where humans are paid fractions of a penny for each correctly entered captcha); or by prompting the victim him- or herself to enter captcha text, disguising the captcha form as some sort of Windows prompt. This is the first time I’ve heard of a Trojan attempt to crack the audio captcha, let alone succeed.

Continue reading

Trojan Decodes Captchas Using Stolen Commercial Tools

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20091002_lanci_captchas_cropA new Trojan quietly circulating in the wild uses components from a commercial optical character recognition (OCR) application to decode captchas, those jumbled-text images meant to help a website discern human activity from automated bots.

The OCR-using captcha breaking tool is just one component of the Trojan. Its main purpose appears to be to fill out contest entries, online polls, and other forms relating to marketing campaigns originating in the US, and it uses the OCR-cracking software in order to read the captchas and submit the form entries, on pages where the website presents a captcha to the user.

And this is not just any captcha-cracka, but a Swiss Army Knife of sorts. The maker of the “Advanced Captcha Recognition Engine” tool, based in China, claims that the tool is capable of bypassing more than 30 different captcha systems, including those used by Yahoo, MSN, and some of the largest portal sites and banks in China.

20091002_lanci_tocrprop_cropThe captcha decoding tool itself is a kludge, marrying some bespoke files and components expropriated from an older version of a commercial optical character recognition (OCR) suite called TOCR. The UK-based company that makes the TOCR software, Transym Computer Services, also licenses its components to third parties, though it’s not clear they knowingly have a relationship with the Chinese captcha cracker maker, nor were they aware that parts of their engine was repurposed for sale to Chinese malfeasants. The files appear to have been stolen or pirated, and used without Transym’s knowledge.

Continue reading