View Full Version : Gmail, Yahoo and Hotmail’s CAPTCHA Broken

2008-02-26, 01:45

- http://www.websense.com/securitylabs/blog/blog.php?BlogID=174
Feb 22 2008 - "Websense Security Labs has discovered that Google’s popular web mail service Gmail is being targeted in recent spammer tactics. Spammers in these attacks managed to created bots that are capable of signing up and creating random Gmail accounts for spamming purposes. Websense believes that from the spammers’ perspective, there are four main advantages to this approach. First, signing up for an account with Google allows access to its wide portfolio of services. Second, Google’s domains are unlikely to be blacklisted. Third, they are free to sign up. And fourth, it may be hard to keep track of them as millions of users worldwide are using various Google services on a regular basis... Websense believes that these accounts could be used by spammers at any time for abusing Google’s infrastructure. A wide range of attacks could be possible as the same account credentials can be used to target various services offered by Google... It is observed that at this stage bots (or bot-infected machines) are trying to sign up as many accounts as possible with Gmail mail services. One of the main concerns here is attacking CAPTCHA. Unfortunately, spammers seem to have success with it. The bot is signing up an account feeding all the prerequisites or input data that goes into the signup page and successfully creating a mail account. Considering the normal / routine process involved in signing up a web mail account (Gmail), CAPTCHA authentication is a must for a successful signup. Since a bot is creating an account successfully, it is obvious that CAPTCHA is broken... Unlike Live Mail CAPTCHA breaking*, which involved just one botted host doing the entire job (signing up, filling in details, getting the CAPTCHA request), the Gmail signing process involves two botted hosts (or CAPTCHA breaking hosts)..."
* http://www.websense.com/securitylabs/blog/blog.php?BlogID=171

(Screenshots available at both URL's above.)


2008-02-26, 01:47
Also see:


(Hat tip to brewt at CastleCops.)


2008-02-26, 21:09

Orkut Scraps Propagating Malicious Code
- http://www.symantec.com/enterprise/security_response/weblog/2008/02/post_7.html
February 26, 2008 - "...A worm was discovered spreading malicious code through Google’s Orkut service. This isn’t the first worm on Orkut*, and the worm works in a similar manner to its predecessors by using “scraps”- messages considered part of a “scrapbook”. A user receives a scrap from an acquaintance containing a pornographic image that is designed to look like a Flash movie. If the user clicks on the image file, in an attempt to play the “movie”, they are directed to a malicious Web site...
The scraps are received from known members on the friend’s list, which makes it makes it easier to surpass a user’s suspicions about the legitimacy of the messages. This could also be easily used as a vector for targeted malicious code attacks... Symantec Security Response observed this attack lasting for a couple of hours, and then the malicious URL was redirected to a non-malicious Web page. As we write this we have a few more reports of the same malicious code being served through different domain links."
* http://www.itsecurity.com/security.htm?s=17431&sid=43a064e07923244c6d2f04eda5e3fc7c


2008-02-26, 21:40
Uh, oh... more:

Tracking cybercrime leads us to Google
- http://www.ugnn.com/2008/02/google_caught_denies.html
Feb 24, 2008 - "After reporting literally hundreds of abuse situations to Google, I've finally come to the conclusion that there's no one there responsible for keeping watch..."
...and here: http://www.techsurvivors.net/forums/lofiversion/index.php/t18227.html
...and here: http://www.castlecops.com/Downloadable_Software_spam116153.html
...and here: http://www.castlecops.com/MaxHerbal_spam120920.html

...from here: http://isc.sans.org/diary.html?storyid=4022
Last Updated: 2008-02-25 23:42:09 UTC


2008-02-29, 13:48

- http://preview.tinyurl.com/2kxkys
02.29.08 (Symantec Security Response Weblog) - "Due to some confusion with this particular threat, we’ve decided to provide some further details on the Orkut worm we blogged on earlier in the week. The worm, recently renamed to W32.Scrapkut, uses active code injection as a vehicle to propagate to the Orkut friends of its unfortunate victim. Initially, a malicious scrap is posted to the victim’s scrapbook, containing a link to what appears to be a YouTube video. When a victim clicks on the link, they are redirected to an external site which prompts them to download the file “flashx_player_9.8.0.exe”... When executed, flashx_player_9.8.0.exe retrieves the files windosremote.exe, logservicess.exe and win32chekupdate.exe from hxxp: //[REMOVED].ifastnet. com. These files download additional files that perform a variety of malicious actions, but logservices.exe is the main executable for further propagation. Logservices.exe first copies itself as maindwxp.exe to four different locations on the system to ensure it is executed on startup. Maindwxp.exe then checks in with the command and control server via a GET request with specific parameter values... Maindwxp.exe then executes and begins checking for an active browser window, waiting for the victim to visit Orkut. Once the victim is in an authenticated Orkut session, maindwxp.exe injects Javascript code into the active Orkut web session. This Javascript code which is actually based on a popular Greasemonkey script is then executed within the context of the Orkut domain and the user’s authenticated session, resulting in the malicious scrapbook entry being sent to all the victims’ friends, and the cycle begins again..."

(Screenshots available at the URL above.)

- http://www.symantec.com/security_response/writeup.jsp?docid=2008-022820-1949-99&tabid=2
Discovered: February 28, 2008
Updated: February 29, 2008 4:26:42 AM
Type: Worm...


2008-03-02, 21:41

Hard core porn invasion on Google Groups
- http://sunbeltblog.blogspot.com/2008/03/hard-core-porn-invasion-on-google.html
March 02, 2008 - "We’ve just started seeing a hard-core porn invasion on Google Groups. So far, we have identified approximately 270 Google Groups pages with this porn... These pages push other porn pages for profit. While not all of the redirects go to malware sites, we did observe some redirects to a site which ultimately pushes a fake codec trojan, which if installed, results in a VirusHeat infection... We have alerted Google to the presence of these pages."

(Screenshots available at the URL above [offensive content has been obfuscated].)


2008-03-03, 14:20

...Google Groups invasion continues unabated
- http://sunbeltblog.blogspot.com/2008/03/thank-you-sir-may-i-have-another-google.html
March 02, 2008 - "There is another Google Groups invasion, with a different twist than the porn angle: spam blogs. In this case, we see splogs set up for everything from "female celebrity smoking" to air conditioners. These push searches to MCtop10.info... A list of sites tracked so far is here* (pdf)."
* http://www.sunbelt-software.com/ihs/alex/googlegroupsspam.pdf


2008-07-05, 04:26
- http://ddanchev.blogspot.com/2008/07/gmail-yahoo-and-hotmails-captcha-broken.html
July 03, 2008 - "...an underground service that's selling registered accounts at Gmail, Yahoo, Hotmail and the most popular Russian email providers in the thousands. Once the inventory of registered accounts drops due to someone's purchase, it continues registering one to two email accounts per second... Text based CAPTCHA is so broken, that if major web sites whose services are getting abused don't at least try to slow down the efficient approach of breaking it, we are going to see an entire spamming infrastructure build on the foundation of legitimate email service providers."


2008-08-25, 14:17

Google / Yahoo SPAM_A_LOT accounts...
- http://voices.washingtonpost.com/securityfix/2008/08/web_fraud_20_defeating_anti-sp.html
August 25, 2008 - "...new accounts, of course, are not logged yet by anti-spam filters, so they give spammers a new platform to deliver their garbage. Also, Google's or Yahoo's domains are unlikely to be blacklisted by anti-spam groups... The main anti-captcha.com service is something of a fixed-price menu: They charge $1 for every 1,000 CAPTCHAs you send. But the site also features an à la carte menu, selling new and used Gmail and Yahoo Web mail accounts in bulk. Currently offered are packages for 1,000, 10,000 and even 100,000 accounts at a time. Anti-captcha.com is selling 1,000 new Gmail accounts for $8, 10,000 Gmail accounts for $64, and 50,000 pristine Gmail inboxes for $280. Some 100,000 used Yahoo! mail accounts can be had for $150 to $200."


2008-09-08, 17:39

Email, Web, and Web 2.0 Blended Attacks
- http://securitylabs.websense.com/content/Blogs/3176.aspx
09.08.2008 - "...For the spammers, the entire attack strategy always includes more than registering email accounts using Anti-CAPTCHA operations, sending mass emails over the Internet, infecting thousands of user machines, and stealing information. It also involves switching the attack strategy with a mindset of targeting both Email and Web space using a combination of different tactics, which could be manual as well as automated, to carry out various attacks... The spammers are now using such operations for a variety of social-engineering attacks, a trend that has been increasingly common with various popular Web 2.0 sites... spammers are observed to be using Google’s well-known blog publishing system, Blogger, for posting random comments to blogs, wikis, guestbooks, or other publicly accessible online discussion boards for promoting their products and services, adware installations, and malware infections for stealing information... Spammers create such splogs using machine-generated or hijacked content with the aim of targeting unsuspecting users. Also, observe that spammers also include links in their splogs referring to legitimate sites in order to trick users... Once the blog owners are victimized with such tactics, the spammers' next phase is to target the blog owner’s email address with mass emails to carry out different attacks..."
(Screenshots available at the URL above.)

Google Apps...
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3891
Last revised:09/05/2008