Spammers and Phishers Breaking CAPTCHAs

The emergence of CAPTCHA based authentication was a logical move in the fight against automated brute forcing of login details, registrations, spamming and sploging in the form of comments and splogs registration. And consequently, spammers, phishers and malware authors started figuring out how to automatically achieve their objectives, by either breaking or adapting to a certain CAPTCHA, and even more pragmatic - outsourcing the request to a third-party.

Two months ago, there were news stories on how spammers and phishers feeling the pressure put on them by anti spam vendors, have supposedly broken Hotmail and Yahoo's CAPTCHA. Nothing is impossible, the impossible just takes a little longer, what's important is discussing the many other perspectives related to adapting to a CAPTCHA, directly breaking it, or entirely ignoring it.

In the first example you can see an automatic CAPTCHA recognition at a Russian email provider. What the script is doing is basically syndicating proxies, ensuring they work, and starting the mass registration process while providing confirmation or error results in between. The CAPTCHA in question is indeed primitive, but the email provider's clear IP reputation and launch pads for spam, phishing and malware is what the malicious parties are really interested in. Once the CAPTCHA becomes easily recognizable, the entire process of logging in and sending the malicious content can also be fully automated.

In the second example you can see a great example of the adaptation process. The CAPTCHA cannot be efficiently abused we we've seen with the first case, but instead of putting efforts into breaking it directly, the malicious parties are simply adapting. Once proxies get syndicated and verified for connectivity, a request for the number of accounts to be registered is initiated, the script then responds with automatically generated logins, and presents the CAPTCHA to be manually entered by the malicious party. Malicious economies of scale in action, despite that the CAPTCHA cannot be broken, the process is still partly automated, another example of marginal thinking applied in order to achive an objective.

Sample CAPTCHA breaking project requests :

- "I need a captcha breaker that can break captchas that are of the same style i will upload here.I will want a c++ dll that recieves a file path and returns a char* with the content of the picture (letters and numbers)"

- "The program needs to take a myspace captcha image and determine what the text says in the image. The accuracy needs to be 80%+"

- "We are an expert group for inputing captcha for you with very low price and high accuracy. We can input 10k to 100k (depending on how many you can offer to us) per day with accuracy at least 70% (for simple captcha such as yahoo, it is above 95%). We also own expert programmers who can help you with writting your spiders or other softwares to get and manage all the captchas."

Some are purely malicious, others aim to verify the security of a CAPTCHA in development for instance. Let's summarize - Why are malicious parties interested in defeating CAPTCHA's at popular sites?

- take advantage of the clear IP reputation of the email service in order to improve the chance of having their phishing/spam/malware email successfully received

- set the foundations for a large scale automated spamming/phishing operations by using legitimate email addresses, thus improving their chances of not getting filtered

- automated registration of splogs -- spam blogs

- as search engines are starting to crawl sites submitted at the most popular social networks in real time, spammers or malware authors are naturally interested in abusing this development to timely attract huge
audiences at their splogs who often have malware embedded within

What are malicious parties doing to achieve efficiency despite their inability to defeat an advanced CAPTCHA?

- humans entering the CAPTCHAs while the script is auto generating, storing and auto logging with the passwords in a combinated with the human entered CAPTCHA

- adapting compared to putting more efforts into rocket science as whenever a CAPTCHA cannot be beated automatically, as you already saw on the second screenshot, they're making it easier for humans to enter the CAPTCHA and faster compared to an end user browsing

- outsourcing making it sound it's more of a quality assurance project of CAPTCHA to be introduced on the market

What can web sites do to prevent that sort of malicious behaviour? Strong CAPTCHAs should be in place by default, but taking another perspective, the way I discussed how click fraud could be easily detected by advertising networks syndicating IPs of already known to be malware infected hosts, in this very same fashion we could have CAPTCHA system that would check to see if, for instance, default proxy ports are opened at the host trying to register, and whether or not they're part of a botnet. With data like this now a commodity, a prioritization process to closely monitor mass registrations from these IPs is a pragmatic early warning system.

Interesting reading on the big picture too - CAPTCHA - The Broken Token :

"How much does it cost to have a CAPTCHA hack custom developed? $10 to $20 ought to do the trick; certainly no more than $50. But the cost isn’t the point. What’s more alarming is that thousands upon thousands of site owners are depending upon flawed technology to protect their sites from spam even though they know, or at least should know, that it’s only a matter of time until some spam robot shows up and starts hammering away at those worthless little images."

The irony regarding CAPTCHAs are how less popular sites compared to the Web 2.0 darlings often have a more sophisticted CAPTCHA compared to the most widely used web sites.

Related links:

Craziest Captchas on the Web
Cryptographp

OCR Research Team; List of Weakness

PWNtcha - captcha decoder

XRumer

Related posts:

But of Course It's a Pleasant Transaction

Vladuz's EBay CAPTCHA Populator

Attack of the SEO Bots on the .EDU Domain

Spam Comments Attack on Techcrunch Continuing

The Blogosphere and Splogs

Exposing India’s CAPTCHA Solving Economy

"Are you a Human?" - once asked the CAPTCHA, and the question got answered by, well, a human, thousands of them to be precise. Speculations around one of the main weaknesses of CAPTCHA based authentication in the face of human CAPTCHA solvers, seems to have evolved into a booming economy in India during the past 12 months, with thousands of people involved.

The following article - "Inside India’s CAPTCHA solving economy" aims to expose legitimate data entry workers, whose business models and techniques are in fact used by Russian cybercriminals not only for personal phishing, spamming and malware spreading purposes, but also, to resell the bogus accounts and earn a premium in the process :

"No CAPTCHA can survive a human that’s receiving financial incentives for solving it, and with an army of low-wagedIndia CAPTCHA breakers human CAPTCHA solvers officially in the business of “data processing” while earning a mere $2 for solving a thousand CAPTCHA’s, I’m already starting to see evidence of consolidation between India’s major CAPTCHA solving companies. The consolidation logically leading to increased bargaining power, is resulting in an international franchising model recruiting data processing workers empowered with do-it-yourself CAPTCHA syndication web based kits, API keys, and thousands of proxies to make their work easier, and the process more efficient."

Cybercrime is just as outsourceable as CAPTCHA breaking is these days.

UPDATE: Slashdot, BoingBoing, Ars Technica, and The Tech Herald picked up the story.

Related posts:
The Unbreakable CAPTCHA
Spam coming from free email providers increasing
Gmail, Yahoo and Hotmail’s CAPTCHA broken by spammers
Microsoft’s CAPTCHA successfully broken
Vladuz's Ebay CAPTCHA Populator
Spammers and Phishers Breaking CAPTCHAs
DIY CAPTCHA Breaking Service
Which CAPTCHA Do You Want to Decode Today?

Community-driven Revenue Sharing Scheme for CAPTCHA Breaking

What follows when a system that was originally created to be recognizable by humans only, gets undermined by low-waged humans or grassroots movements? Irony, with no chance of reincarnation. CAPTCHA is dead, humans killed it, not bots.

A new market entrant into the CAPTCHA-breaking economy, is proposing a novel approach that is not only going to result in a more efficient human-based CAPTCHA solving on a large scale, but is also going to generate additional revenues for webmasters and their site's community members. The concept is fairly simple, since it's mimicking reCAPTCHA's core idea.

However, instead of digitizing books, the CAPTCHA entry field that any webmaster of an underground community, or a general site in particular that would like to syndicate CAPTCHAs from Web 2.0 web properties is free to do so on a revenue-sharing, or plain simple voluntary basis.

Consider for a moment the implications if such a project of they manage to execute it successfully. Starting from community-driven CAPTCHA breaking of Web 2.0 sites on basic forum registration fields using MySpace.com's CAPTCHA for authenticating new/old users, the plain simple automatic rotation for idle community users, to the enforcement of CAPTCHA authentication for each and every new forum post/reply.

What happens with the successfully recognized CAPTCHAs? As usual, hundreds of thousands of bogus profiles will get automatically registered for the purpose of spam and malware spreading, or reselling purposes. The development of this service -- if any -- will be monitored and updates posted if it goes mainstream.

Related posts:
The Unbreakable CAPTCHA
Spammers attacking Microsoft's CAPTCHA -- again
Spam coming from free email providers increasing
Gmail, Yahoo and Hotmail’s CAPTCHA broken by spammers
Microsoft’s CAPTCHA successfully broken
Vladuz's Ebay CAPTCHA Populator
Spammers and Phishers Breaking CAPTCHAs
DIY CAPTCHA Breaking Service
Which CAPTCHA Do You Want to Decode Today?

A Peek Inside the Managed Blackhat SEO Ecosystem

Ever wondered how are thousands of bogus accounts across multiple Web services, automatically generated with built-in monetization channels consisting of scareware, malware to the use of legitimate affiliate links from major ad networks?

Through several clicks or if complete automation and experience count, through outsourcing the process to a managed blackhat SEO provider that wouldn't charge you for the product, but for the service offered. Let's take a peek at some of the currently available DIY tools, and what a managed blackhat SEO service provider has to offer.

Take for instance the "professional blackhat SEO" expert featured here. His ongoing Twitter spam campaigns are in fact so successfully hijacking trending topics that at first they looked like your typical scareware serving campaign. What both sides have in common are spamming techniques used.

However, the tactics vary and indicate an interesting shift from the typical outsourcing of CAPTCHA recognition for the purpose of storing the blackhat SEO content on the legitimate provider's services. In order to scale more efficiently, several currently active managed blackhat SEO providers that have vertically integrated to the point where they manage their own blackhat SEO friendly ISP.

By doing so, their bogus account generating platforms are capable of achieving speeds that would be otherwise either impossible or impractical to set as objectives through outsourced CAPTCHA-recognition - 2,931 bogus Wordpress accounts with template based blackhat SEO content generated in 1 second using their own managed infrastructure. The following screenshots provide an inside peek into one of the products offered by the "professional blackhat SEO expert" :

What took place in one second, was the generation of thousands of bogus accounts with descriptive blackhat SEO subdomains, with the bogus content pulled/scrapped from legitimate and real-time news providers, with the entire operation run as a managed service, or the tool itself offered for sale. As in every other managed underground service, customization plays a major role that is often the key benchmark for judging a particular product next to another. Customization in respect to this particular tool comes under the form of numerous Wordpress templates that can be randomly used during the registration process:

Static customization is one thing, dynamic customization is entirely another. The product, and consequently the managed service are offering the ability to automatically add Ebay and Amazon listings with the user's unique affiliate code posted within the bogus content:

The practice of affiliate network fraud -- excluding the cybersquatting as a prerequisite for it success -- was recently mentioned as a much more lucrative fraudulent practice than the pay-per-click model, which entirely depends on the fraudster's knowledge of which is the monetization model with the highest pay-out rates:

"Some companies offer legitimate affiliate programs that allow third-party Web site owners to post links and banners with the company’s branded content on their site or to send traffic to the company’s site directly through domain forwards. In return, the owner of the site hosting the link receives a commission for every click-through that results in a purchase. This lucrative commission structure has enticed cybercriminals to take advantage of affiliate programs by registering typo domains that redirect to legitimate content and enable them to collect affiliate fees."

Next to the malware/scareware serving Twitter campaigns, affiliate network fraud is also very common at the ever-growing micro-blogging service, whose lack of common sense account registration practices -- Twitter doesn't require a valid email, neither does it require an email confirmation upon registrating an account -- makes the practice of generating bogus accounts a child's play.

The bottom line - is the managed blackhat SEO hosting service ($500 per month and $5000 for one year for unlimited domains/subdomains/traffic/disk space package) the future, or are we going to continue seeing the systematic abuse of legitimate service's infrastructure through outsourced CAPTCHA recognition? I'd go for the second due to a simple reason - it's more cost-effective than the managed service at least for the time being. In the long term, once it achieves its logical "malicious economies of scale" the hosting and process would become cheaper thereby attracting more customers.

Recommended reading -
Outsourced CAPTCHA recognition:
Community-driven Revenue Sharing Scheme for CAPTCHA Breaking
The Unbreakable CAPTCHA
Spammers attacking Microsoft's CAPTCHA -- again
Spam coming from free email providers increasing
Gmail, Yahoo and Hotmail’s CAPTCHA broken by spammers
Microsoft’s CAPTCHA successfully broken
Vladuz's Ebay CAPTCHA Populator
Spammers and Phishers Breaking CAPTCHAs
DIY CAPTCHA Breaking Service
Which CAPTCHA Do You Want to Decode Today?

Managed Cybercrime-facilitating services/tools:
Commercial Twitter spamming tool hits the market
Zeus Crimeware as a Service Going Mainstream
Managed Fast-Flux Provider
Managed Fast Flux Provider - Part Two
76Service - Cybercrime as a Service Going Mainstream
Inside (Yet Another) Managed Spam Service
Inside a DIY Image Spam Generating Traffic Management Kit
Quality Assurance in a Managed Spamming Service
Managed Spamming Appliances - The Future of Spam
Dissecting a Managed Spamming Service
Inside a Managed Spam Service
Spamming vendor launches managed spamming service

Cybersquatting/Per Pay Click Fraud:
Exposing a Fraudulent Google AdWords Scheme
Botnets committing click fraud observed
Click Fraud, Botnets and Parked Domains - All Inclusive
Cybersquatting Security Vendors for Fraudulent Purposes
Cybersquatting Symantec's Norton AntiVirus
The State of Typosquatting - 2007

This post has been reproduced from Dancho Danchev's blog.

Gmail, Yahoo and Hotmail’s CAPTCHA Broken

It's one thing to start efficiently registering thousands of email accounts at reputable email providers by automatically breaking their CAPTCHA authentication, and entirely another to build a business model on the top of it next to the opportunity to abuse if for your own malicious purposes. Which is exactly what we have here, an underground service that's selling registered accounts at Gmail, Yahoo, Hotmail and the most popular Russian email providers in the thousands. Once the inventory of registered accounts drops due to someone's purchase, it continues registering one to two email accounts per second.



Gmail, Yahoo and Hotmail’s CAPTCHA broken by spammers :



"Breaking Gmail, Yahoo and Hotmail’s CAPTCHAs, has been an urban legend for over two years now, with do-it-yourself CAPTCHA breaking services, and proprietary underground tools assisting spammers, phishers and malware authors into registering hundreds of thousands of bogus accounts for spamming and fraudulent purposes. This post intends to make this official, by covering an underground service offering thousands of already registered Gmail, Yahoo and Hotmail accounts for sale, with new ones registered every second clearly indicating the success rate of their CAPTCHA breaking capabilities at these services."



Text based CAPTCHA is so broken, that if major web sites whose services are getting abused don't at least try to slow down the efficient approach of breaking it, we are going to see an entire spamming infrastructure build on the foundation of legitimate email service providers.



Related posts:

Vladuz's Ebay CAPTCHA Populator

Spammers and Phishers Breaking CAPTCHAs

DIY CAPTCHA Breaking Service

Which CAPTCHA Do You Want to Decode Today?

Which CAPTCHA Do You Want to Decode Today?

Once you anticipate your success, you logically start putting more efforts into achieving a decent level of efficiency in the process of breaking CAPTCHA, now that's of course in between commercializing your know-how. CAPTCHA breaking or decoding on demand has been a reality for a while, with malicious parties empowered by proprietary tools, publicly available DIY CAPTCHA breakers, or services like this one doing it on demand.

The following service is offering the possibility for CAPTCHA decoding on a per web service basis, and enticing future customers by providing percentage of accuracy, the price, and the ease of difficulty of breaking it. CAPTCHA decoding is listed for the following services : 9you, tiancity, cncard, the9, kingsoft, taobao, dvbbs, shanda, csdn, chinaren, monter, and baidu. The hardest to break CAPTCHAs mentioned are those of Yahoo, Hotmail, QQ, Google. Moreover, Ticketmaster's the most expensive one, followed by Ebay's CAPTCHA decoding process.

What happens when malicious parties cannot directly decode the CAPTCHA? They figure out ways to adapt to the situation, namely by enjoying the benefits of the human factor in the process while sacrificing some of the efficiency, but continuing to achieve their objective.

DIY CAPTCHA Breaking Service

Given that spammers and phishers are already breaking, bypassing our outsourcing their CAPTCHA breaking needs, the introduction of a DIY (do-it-yourself) model provided confidence in the recognition process is over 80%, was inevitable. The CAPTCHA Bot is a good example of a recently released DIY CAPTCHA breaking service where the users feed their accounts with credits, sets URLs and CAPTCHA's to get recognized. If it were pitched at vendors or anyone out there maintaining a CAPTCHA as a service it would have been a great idea, trouble is, it would be largely abused in its current form. Let's discuss the incentives model. Are developers of CAPTCHAs interested in improving the security of their CAPTCHAs in the form of contests with financial rewards or job propositions for those who dare to break them in a contest form? Not necessarily, and fixing vulnerabilities whenever such appear is done in an "on demand" fashion like we've seen with Vladuz's Ebay CAPTCHA populator. CAPTCHAs at the most popular web services are the gatekeepers of their online reputation, else, the flood of splogs and malware embedded blogs, as well as spam and phishing emails coming from free web based email providers may outpace the current model.

CAPTCHA is Dead! - Here's the Proof

Dear blog readers,

It's a public secret that the majority of today's modern Web sites rely on the use of CAPTCHA for proper user vs bot or automated software detection which in reality is a flawed and an outdated approach to protect a Web site and its visitors as in 2022 we continue to live in a world where CAPTCHA-solving as a service that also includes reCAPTCHA solving as a service continues to proliferate with possible thousands of users across the globe processing hundreds of thousands of CAPTCHAs courtesy of popular CAPTCHA services for the purpose of empowering Russian or international cybercriminals on their way to properly and automatically register new accounts on major Web properties and social networks internationally.

In this post I'll detail the activities of several known CAPTCHA-solving services and discuss in-depth their functionalities with the idea to raise awareness on the concept including the systematic and automatic CAPTCHA solving courtesy of humans and their affiliate-based networks. 

Sample URLs known to have been involved in the campaign include:

hxxp://captchasolver.com - 69.172.201.208; 52.73.71.92; 52.73.115.80; 172.64.138.13; 172.67.184.21

hxxp://captchaocr.com - 172.93.194.59; 172.93.194.58; 3.130.204.160; 103.224.212.221; 3.19.116.195

hxxp://typethat.biz - once executed the sample phones back to hxxp://5fc.info - 184.168.192.116; 45.40.164.140; 209.99.40.222; 208.91.199.225; 50.62.160.53

Sample MD5 known to have been involved in the campaign include:

MD5: eb1ef93dcf2e9fd747ea2b80dd0c2619

Related URLs known to have been involved in similar campaigns include:

hxxp://captchasolver.com/

hxxp://216.55.132.15/captchas

hxxp://64.34.161.26:8888/type/typer.html

hxxp://panel.6ew.pl/index.php

hxxp://www.geocities.com/workcaptcha/magic.bolobomb.htm

hxxp://magic.bolobomb.com/lepricon/index.php

hxxp://www.geocities.com/workcaptcha/destination.work.htm

hxxp://nagic.bolobomb.com/lepricon/index.php?A=STATS

hxxp://www.destination-server.com/bulletinpics/entry.cgi

hxxp://www.destination-server.com/bulletinpics/server-slow.cgi

hxxp://74.55.167.90:8546/entry/type.php?

hxxp://www.lovecolony.com/captchasetup.exe

hxxp://www.captchaocr.com/human/index.php

hxxp://bpoworld.awardspace.com/

Stay tuned!

The Unbreakable CAPTCHA

In response to the continuing evidence of how spammers are efficiently breaking the CAPTCHAs of popular free email service providers in order to abuse their clean IP reputation, and already validated authenticity through the use of DomainKeys and SenderID frameworks, someone has finally came up with an unbreakable CAPTCHA.



If it only weren't a hoax, it would have even solved the human CAPTCHA solvers problem, whose sessions would have probably expired due to their inability to solve it.



Related posts:

Vladuz's Ebay CAPTCHA Populator

Spammers and Phishers Breaking CAPTCHAs

DIY CAPTCHA Breaking Service

Which CAPTCHA Do You Want to Decode Today?

Historical OSINT - Yet Another Massive Scareware-Serving Campaign Courtesy of the Koobface Gang

It's 2010 and I've recently came across to yet another currently active scareware-serving campaign courtesy of the Koobface gang this time successfully introducing a CAPTCHA-breaking module potentially improving the propagation and distribution scale within major social networks.

In this post I'll discuss the campaign and provide actionable intelligence on the infrastructure behind it.

Related malicious domains known to have participated in the campaign:
hxxp://goscandir.com/?uid=13301 - 91.212.107.103 - hosting courtesy of AS29550 - EUROCONNEX-AS Blueconnex Networks Ltd Formally Euroconnex Networks
hxxp://ebeoxuw.cn/?uid=13301
hxxp://ebiezoj.cn/22/?uid=13301
hxxp://goscanhand.com/?uid=13301
hxxp://byxzeq.cn/22/?uid=13301

Sample malicious MD5 known to have participated in the campaign:
MD5: 16575a1d40f745c2e39348c1727b8552

Once executed a sample malware phones back to:
hxxp://in5it.com/download/Ipack.jpg - the actual executable

Related malicious MD5 known to have participated in the campaign:
MD5: 1d5e3d78dd7efd8878075e5dbaa5c4fd

Related malicious MD5 known to have participated in the campaign:
MD5: 6262c0cb1459adc8f278136f3cff2777

It's worth pointing out that prior to analyzing the campaign it appears that the Koobface gang has recently introduced a CAPTCHA-breaking module which basically relies on the active outsourcing of the CAPTCHA-breaking process potentially improving the Koobface spreading and propagation effectiveness.

Sample malicious URL known to have participated in the campaign:
http://peacockalleyantiques.com/.sys/?getexe=v2googlecheck.exe

Sample malicious MD5 known to have participated in the campaign:
MD5: cf9729bf3969df702767f3b9a131ec2c

Sample malicious URL known to have participated in the campaign:
http://peacockalleyantiques.com/.sys/?getexe=v2captcha.exe

Sample malicious MD5 known to have participated in the campaign:
MD5: f2d0dbf1b11c5c2ff7e5f4c655d5e43e

Once executed a sample phones back to the following C&C server IPs:
hxxp://capthcabreak.com/captcha/?a=get&i=0&v=14 - 67.212.69.230
hxxp://captchastop.com/captcha/?a=get&i=1&v=14 - 67.212.69.230

Spam Campaign Abusing Yahoo's Services

Think spammers.Yahoo.com trusts Yahoo.com, consequently, a spam campaign that using bogus Yahoo.com email accounts, and spamming only Yahoo users with links to Yahoo's search engine using queries leading to the exact spammer's URLs, is almost 100% sure to make it through spam filters. That seems to be case with this spam campaign perfectly fitting into the "spam that made it through" category.

Sample search queries resulting in a single result with the spammer's URL :
- yahoo.com/////////////////////////////search/search;_ylt=?p=())))))))))))))callfold(((((((((((((((()))))))))))((((()))))))5000)))))))))))(((((((
- search.yahoo.com/search?p=(((((())))))))((((((((((((((housetear((((())))))(((((((())))))))(((((((((5000((((((())))))))))))))))))))
- yahoo.com/search/search;_ylt=?p=]]]]]]]]]]]][[[[[[galestay[[]]]]]]][[[[[[[[[[[[[[[[[[[[$229[[[[[[[[[[[[[[[[[[[]]]]
- yahoo.com/search/search;_ylt=?p=(((((())))))))))galestay((((((()((((((((((((((((($229)))))))))))(((()
- yahoo.com/////////////////////////////search/search;_ylt=?p=))))))))))))))(((((richorbit((((((((((((((())))))))))))((((((())))))$229)))))))))))(((((((
- yahoo.com/////////////////////////////search/search;_ylt=?p=))))))(((())))))))))richorbit((((((((((((())))))))((((((((((((((((((((((((((((($229))))))((((())


The search queries lead to galestay.com; housetear.com; callfold.com; richorbit.com with several hundred spam domains participating in the campaign parked at 218.61.7.21 and 220.248.185.64.

With CAPTCHA solving and automatic account registration getting easier to outsource next to the easily obtainable segmented email databases of a particular ISP or web based email service provider, launching such a campaign requires less efforts than it used to before. Interestingly, the spammed through Yahoo emails never leave Yahoo Mail since it's only spamming Yahoo users according to the extensive number of emails CC-ed.

What's to come in the long-term? With an entire spamming infrastructure build on the foundation of the hundreds of thousands of bogus accounts at legitimate services, spammers are already starting to embrace the "legitimate sender" mentality and are working on ways to integrate that infrastructure in their spam systems, evidence of which can be seen in several different managed spamming services.

Related posts:
Microsoft’s CAPTCHA successfully broken
Gmail, Yahoo and Hotmail’s CAPTCHA broken by spammers
Spam coming from free email providers increasing
Inside India’s CAPTCHA solving economy

Exposing a Publicly Accessible CAPTCHA-Solving Service - An Analysis

Dear blog readers,

I've decided to share with everyone a series of photos courtesy of a publicly accessible CAPTCHA-solving service that also includes the breaking and direct bypassing of Google's reCAPTCHA with the idea to raise awareness on the fact that in today's modern cybercrime ecosystem the bad guys continue to outsource the CAPTCHA solving process to humans who would then systematically and semi-automatically attempt to solve as many CAPTCHAs as possible potentially earning a decent portion of revenue in the process and most importantly empowering today's modern spam and blackhat SEO tools in terms of automated CAPTCHA solving and account registration services on some of today's major Web properties.

Sample screenshots include:

Stay tuned!

Instagram Under Fire as Cybercriminals Release New DIY Fake Account Registration/Management/Promotion Tool

In 2013, CAPTCHAs represent an outdated approach for a Web site wanting to prevent the efficient and systematic abuse of its services.

This fact, largely driven by the rise of cost-effective CAPTCHA solving solutions offered by low-waged individuals internationally over the last couple of years, continues to empower virtually anyone possessing the right cybercrime-friendly tools, with the ability to abuse any major Web property in a potentially fraudulent or malicious way.

In this post, I'll profile one of the most recently released DIY fake account registration/management/promoting tool, targeting Instagram, highlight its core features, as well as emphasize on the true impact that these tools are having on some of the world's most popular Web properties.

Sample screenshots of the tool in action:

Some of its core features are:

• support for multi-threads
• set number ot accounts to generate using a single proxy (malware-infected host)
• randomization of the posted bogus content to avoid easy detection of the pattern
• male/female fake account creating capabilities
• mass account validity checking capabilities
• CAPTCHA-solving integration with third-party CAPTCHA solving services

Over the years, I've been extensively profiling campaigns utilizing purely legitimate infrastructure for achieving the fraudulent/malicious objectives set by the cybercriminal behind the campaign. These cases demonstrate that cybercriminals continue to pursue the efficient and systematic abuse of legitimate Web properties, which on the other hand, continue relying on CAPTCHA challenges to differentiate between bots and humans using the site, forgetting that it's actually humans solving the CAPTCHAs for the their customers.

Known cases of abuse of legitimate infrastructure for fraudulent/malicious purposes over the years include:
Bogus "Shocking Video" Content at Scribd Exposes Malware Monetization Scheme Through Parked Domains
Fake Codec Serving Domains from Digg.com's Comment Spam Attack
Bogus LinkedIn Profiles Redirect to Malware and Rogue Security Software
Dissecting the Bogus LinkedIn Profiles Malware Campaign
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
Celebrity-Themed Scareware Campaign Abusing DocStoc and Scribd
Celebrity-Themed Scareware Campaign Abusing DocStoc
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Pharmaceutical Spammers Targeting LinkedIn