Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Trojan found breaking Yahoo CAPTCHA security in minutes

Cridex uses infected PCs as proxies for anti-CAPTCHA engine

Article comments

Researchers have discovered a malware engine that appears to be able to break the CAPTCHA security used by Yahoo's webmail service after only a handful of attempts.

There is nothing new in malware that tries to break CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) – a low-level war has been ongoing since this type of security was first implemented almost a decade ago – but what matters is how quickly and invisibly this can de done.

Websense has posted an online video showing the effectiveness of the engine it found working as part of the Cridex banking Trojan malware in breaking down Yahoo’s CAPTCHA process.

Cridex itself is a traditional if rather dangerous login harvester that targets online banks and social media sites from victim PCs, uploading stolen data to a command and control server.

In that it resembles longer-established banking malware such as Zeus. But a key element of any malware is the way it tries to spread itself to new victims and the Cridex systems discovered by Websense does that by using infected PCs as proxies to create new webmail spamming accounts.

The webmail element of Cridex first fills in the registration form using dummy data before sending snapshots of the Yahoo CAPTCHA screen to a remote cracking server, which attempts to decipher the text.

If the returned CAPTCHA fails, the malware initiates the remote server to keep trying until it gets the correct answer. In the Websense test, the malware got the right answer after five failed attempts, a remarkably good success rate when taken over large numbers of infected machines.

The innovation here is twofold. First, Cridex would appear to have a CAPTCHA-cracking engine that can break webmail security quickly, assuming the six-attempt demo is typical. Websense doesn’t say but the remote server will be running a tweaked version of the image and text processing optical character recognition (OCR) systems that are elsewhere used for legitimate purposes.

A second and perhaps important advantage is that despite being cumbersome (the criminals need to move screen captures to and from a remote server) the CAPTCHA breaking is done using a legitimate PC in a trusted domain rather than from a criminal server that might be quickly blocked.

Once the fake Yahoo account has been set up the window in which it will be able to spam before being detected is probably very small, but that just makes it imperative that the malware generates fresh accounts as rapidly as possible.

The ability of malware operators to break CAPTCHA systems quickly has been an area of research for some years with a recent University of British Columbia study showing that Facebook could be fooled in 80 out of 100 attempts.

A handful of companies have grown up around CAPTCHA security which usually works by making the process more compute intensive for criminals. Examples of this include a system from NuCaptcha than incorporates video.  The problem remains that while these systems undoubtedly deter anti-CAPTCHA servers, they also risk adding overhead for the webmail systems too.


More from Techworld

More relevant IT news


Hansy said: Yahoo captcha screen to a remote cracking server which attempts to decipher the text

Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *