Spammers break Hotmail's CAPTCHA yet again

The battle by Microsoft to secure its Live Hotmail system from spammers appears to have failed yet again with the news that the latest version of its CAPTCHA authentication system has been broken.

According to a detailed analysis of the latest hack by security company Websense, spammers have come up with a new scheme to fool the CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) that takes possible attack scenarios to new levels of sophistication.

The process starts in the same way as did previous CAPTCHA-breaking attacks, using bot-controlled zombie PCs under remote control to fill in the main fields - name, password, country - asked for by Hotmail during signup. The CAPTCHA image presented by Hotmail is then uploaded to a remote server for image decoding, before being sent back to the client for the attempt to create the fake account to proceed.

The latest hack comes only months after Microsoft had previously altered CAPTCHA to beat similar attacks, having suffered more than one ‘break' in 2008.

Websense's analysis of the hack suggests that this process will be successful in one out of every five to 8 attempts, or between 12 and 20 percent of the time, more than enough given the possible volume of account creation to offer the spammers a healthy return. The CAPTCHA image analysis itself is said to take only 20 to 25 seconds per attempt, per machine.

CAPTCHA matters to Microsoft because it is supposed to stop spammers creating large numbers of fake accounts to use as spam relays, taking advantage of the fact that the Hotmail domain is treated as a trusted source by anti-spam gateways and filtering services. Exploiting such trusted domain status simply increases the chances of a particular piece of spam getting past these barriers.

An innovative feature of the latest attack is that communication between the zombie PC and the remote host takes place using an encrypted channel, which makes detection or blocking of such traffic that much more difficult.

Microsoft's main weapon in the fight against Hotmail abuse is its ability to keep changing the image algorithm used to create the CAPTCHA images, buying time against abuse. Equally, the spammers appear able to catch up some time later by changing the decoding algorithms used by their software.

"As we've seen from previous patterns, spammers just attack whatever system is in place. They are financially motivated to get hold of details, and will increase the sophistication of attacks, in a persistent cycle," said Carl Leonard, Websense's European threat research manager.

The underlying change has been the rapid spread of automated tools for breaking CAPTCHA across a range of service providers, including Google and Yahoo. The same hacks are used to break CAPTCHAs protecting blogging accounts, creating a surge in fake websites running in parallel to fake email accounts. A range of suggestions have been put forward as replacements to the flawed system, including the use of 3D images that might be beyond current image-decoding technology.