Log in

No account? Create an account

Previous Entry | Next Entry

reCAPTCHA is Toast

Over the past six weeks or so, one o my email accounts has been flooded with spam advertising phony Internet "pharmacy" sites and penis pill sites.

It still blows my mind to this very day that people actually give money to these folks and actually believe they are getting real drugs, rather than corn starch and food coloring, in return, but that's a whole separate issue.

The spam I have been getting differs from the ordinary, garden-variety junk "pharmacy" spam I get in that all of it advertises URLs belonging to social networking sites. Each URL is a phony profile of a bogus user, whose user information is nothing but a redirector to a spam site.

I've seen this happen before. Usually, it happens when some naive person decides to set up a niche social networking site of some sort, like a social networking site for professional engineers who work in Third World countries or a site for some obscure band or something, but doesn't know anything about security.

The Russians love people like that. Nearly all Internet pharmacy sites, even (especially) the ones that claim to be Canadian, are run by Russian organized crime. The various crime gangs use bots--computer programs that automatically scan through hundreds of thousands of Web sites per day, searching for small social networking sites. When they find one, they attempt to create phony users. If they succeed, the bot software will start setting up thousands, or even tens of thousands, of bogus users, all automatically, and stuff those bogus user profiles full of ads for the phony pharmacy sites.

So you'll end up with some Web site that's dedicated to fans of some Brazilian soccer team or something, and it will have 27,498 users with names like "BuyCheapTramadolHere." Whenever you visit the user profile page for the site, you get redirected to the fake pharmacy. The spammers then advertise the URL of the Brazilian soccer team site in their spam emails.

This is why it is absolutely essential that anyone who sets up a Web site that allows users to sign up and create profiles must, absolutely must, use some kind of system to prevent bot software from creating phony profiles.

Enter the CAPTCHA--those weird squiggly lines of text that you have to type in in order to fill out many Web forms. The idea behind a CAPTCHA is that a computer program can't read the words, so computer programs can't be used to fill out the form.

Organized crime has spent a huge amount of money and time in trying to figure out ways to break CAPTCHAs. Some of the most cutting-edge work in computer optical character recognition is coming from Eastern European organized crime. (Some Web services, such as Gmail, are worth so much to organized crime--mail sent from a Google mail server is almost never blocked by spam filtering software--that organized crime gangs have been known to pay unemployed Third Worlders a penny or so apiece to sit in front of a computer typing in CAPTCHA codes all day.) Another strategy that criminals have used to defeat high-value CAPTCHAs is to do things like set up phony Web sites offering free porn to people if they type in CAPTCHA codes first.

In the past, whenever I have received spam advertising a URL or a redirector hosted on a social networking site, the social networking site isn't using a CAPTCHA. That makes it trivial for the spammers to create phony accounts to act as redirectors to their spam sites.

CAPTCHAs are such a mandatory part of good Web practice that there are businesses whose sole business is providing CAPTCHA generation software or services to Web owners. One such business is a company called reCAPTCHA, which provides free CAPTCHAs for Web site owners. Hundreds of thousands of Web sites, including many high-profile sites like Craigslist, use CAPTCHAs generated by reCAPTCHA.

And that's where things get interesting.

Back to my inbox.

Like I said, it's been flooded lately. I've seen literally thousands of bits of spam all advertising bogus profiles on various social networking sites.

Unsurprisingly, many of them are hosted by Ning, the failed and woefully insecure social networking platform cofounded by ex-Netscape cofounder Marc Andreessen, and which today seems to serve primarily as a platform for spammers (as I've detailed here). The URLs in the spam look like this:


So in other words, about par for the course for Ning; it's a sewer of spam, and since it recently fired most of its staff, it's unlikely ever to improve.

But a lot of the other URLs I've been seeing aren't hosted on Ning:


Those three sites (mysoulspot.com, design21sdn.com, and sgdotnet.org) have been hit particularly hard which each of them currently hosting literally thousands or even tens of thousands of spam profiles.

I visited these and other social networking sites that kept popping up in my spam, expecting to see that they were not using CAPTCHAs to protect themselves from bot software signups.

But that isn't what I found at all. Instead, what I discovered is that every one of the sites I'm seeing that's being attacked, including the Ning sites and the social networking sites not related to Ning, are using reCAPTCHA as their CAPTCH provider.

All of them.

Which suggests very strongly to me that reCAPTCHA has been busted. Organized crime has written, I suspect, software that is effective enough at breaking reCAPTCHA protection that it is effectively useless.


( 10 comments — Leave a comment )
Jan. 17th, 2011 03:43 am (UTC)
gotta reCaptcha every one..
There's been quite a bit of traffic on the Full Disclosure mailing list about recaptcha vulns for a while. None of my blogs rely solely on it or other captcha style authentications anymore.

Would be interested in seeing a serious analysis of this and if it really has been completely broken or not.

Jan. 17th, 2011 06:01 am (UTC)
Ah, I knew I saw something about this - Slashdot had an article about it 5 days ago: http://tech.slashdot.org/story/11/01/11/1411254/Google-ReCAPTCHA-Cracked
Jan. 17th, 2011 08:01 am (UTC)
So it looks like one particular instance of CAPTCHA technology, "recaptcha", has a problem. We should still be using CAPTCHA to some extent...

I have a number of small social networking sites exactly like you describe and always think "I'll set up CAPTCHA later" and regret it after I block a few hundred spammer users.

The funny thing is that for some of them there is nothing at all that they can use to spam with - no links, no comments, nothing.
(Deleted comment)
Jan. 17th, 2011 11:48 pm (UTC)
Yep. With reCAPTCHA, only one of the two words is actually a CAPTCHA, and it allows you to get one letter wrong on that word, so it's not really terribly secure.
Jan. 17th, 2011 07:51 pm (UTC)
I find it wonderfully ironic that Russian organized crime is driving new research in image recognition. At this rate I expect that if a true turing-test-passing AI is ever developed, it will be by telemarketers or something. Skynet had awoken, and it wants you to help it move some money out of a nigerian bank account.
Jan. 17th, 2011 10:45 pm (UTC)
I am so quoting you.
Jan. 18th, 2011 02:54 pm (UTC)
Skynet has awoken, and it wants you to help it move some money out of a nigerian bank account.

I love it!
Jan. 28th, 2011 06:16 am (UTC)
It's funny because it's true! You win the Epic Veracity award. - ZM
Jan. 18th, 2011 10:11 am (UTC)
From Twitter 01-17-2011
User fayanora referenced to your post from From Twitter 01-17-2011 saying: [...] ReCAPTCHA has probably been busted: http://tacit.livejournal.com/345897.html [...]
( 10 comments — Leave a comment )