Evolving Beyond CAPTCHA
Posted by Gunter Ollmann on February 25, 2008 at 7:34 PM EST.
Last week I was up in New York giving a fairly standard talk about the evolving threat landscape (“standard” – but ever-so-exciting). One of the running themes in my presentation material has to do with the complexity of some security solutions and how the evolution of the protection has, in many cases, evolved beyond the capability of people to use it efficiently – and inadvertently provided new avenues for attackers to socially engineer their prospective victims.
At one point I use the example of CAPTCHA’s and how they are commonly deployed to prevent automated attacks (I use the term “attacks” loosely because this can range from bruteforce guessing account logins through to the creation of free email accounts etc.). But I also point out that in many cases the CAPTCHA’s have evolved to a level that, in order to protect against the more advanced automated OCR deciphering tools, they have also defeated a large percentage of the population (especially the elderly and those with vision problems).
Well, today I came across this article describing how the latest implementation of Gmail CAPTCHA’s has been broken by a new bot. Personally, I’d just call this yet another “blade” in the now ubiquitous Swiss-army knife approach to malware, and something we’ll see more oven as it gets added to the other bot-agents out there.
For most security professionals, this is an interesting advance, although not particularly surprising – but I know from presenting material about CAPTCHA’s to other audiences, this is “new” and perhaps a little horrifying to them.
CAPTCHA’s were a good idea, but frankly, in today’s profit-motivated attack environment they have largely become irrelevant as a protection technology. Yes, the CAPTCHA’s can be made stronger, but they are already too advanced for a large percentage of Internet users. Personally, I don’t think it’s really worth strengthening the algorithms used to create more complex CAPTCHA’s – instead, just deploy them as a small “speed-bump” to stop the script-kiddies and their unsophisticated automated attack tools. CAPACHA’s aren’t the right tool for stopping today’s commercially minded attackers.
Why break CAPTCHA’s? Basically, most of the profit-motivated attacks focused upon breaking CAPTCHA’s has been so that attackers can create new accounts with popular free email and online storage providers. Free email providers such as Hotmail, Gmail, Yahoo Mail, etc., make for popular spam delivery vehicles – since email from these domains are less likely to be stopped by common anti-spam filter technologies and blocked by corporate mail gateways. Free online storage services are often used to host pirated software and provide download repositories for pornographic material or other illegal content.
There is a lot of work being done to break common CAPTCHA algorithms. Once an automated solution has been found, it is quickly incorporated in to attack tools – or made available online for use through other automated attack tools.
You may remember a past blog about the XSOX service that manages the lease of bots within botnets for anonymous proxy use. That tool includes a scripting language to automate the production of email accounts “protected” by CAPTCHA’s.
Perhaps (most interestingly to me) is the fact that attackers don’t even really need to break the CAPTCHA’s themselves. Within weeks of the first free email sites using CAPTCHA’s to stop the automated creation of accounts, the attackers had already cottoned-on to the fact that regular Internet users could be employed in bulk to solve them, and the first free Internet porn sites began to appear – offering a free high-resolution pornographic image for every CAPTCHA’s the viewer solved. More recently the same principle was employed in the “Melissa Strip” software to create Yahoo! Mail accounts.
Sorry folks, it was nice while it lasted, but for those that hadn't realized it already, the threat has evolved beyond CAPTCHA’s.