CAPTCHA method defeated

July 17, 2008

In the three-week period from June 13 to July 3, e-mail filtering firm Roaring Penguin said it saw an explosion of spam originating from Gmail, while Microsoft Hotmail and Yahoo Mail remained flat. During this period, spam from Google grew from 6.8 percent to 27 percent of all outbound e-mail detected by Roaring Penguin, while spam from Yahoo and Microsoft rose between 2 to 4 percent. The company attributes this meteoric rise in Gmail spam to the cracking of Google's CAPTCHA.1

While most spam comes from botnet-infected computers, those sources are easier to block based on their IP addresses. But if it comes from Gmail, an e-mail gateway's spam filters are for more likely to let the mail through.1

A CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a test typically used in Web site registration that is designed to tell humans apart from programs designed to hack or automate registrations. It consists of a word displayed in such a way that it's difficult for a computer to read, but not a human.1

CAPTCHA went from relatively obscure security measure perfected in 2000 by researchers at Carnegie Mellon University to deployment by most of the major Web e-mail sites and many other Web sites by 2007. Sites such as Yahoo Mail, Google's Gmail and Microsoft's Hotmail all used - and, for that matter, continue to use - CAPTCHA to make sure that only human beings, not bots, could get accounts or make postings.2

The CAPTCHA system now appears to be collapsing. "I think my view on this now is that time is definitely running out for current CAPTCHA systems; already they are not as effective as they once were," says Paul Wood, senior analyst at MessageLabs. "It's already becoming more difficult for real customers to use them successfully, and they continue to come under increasing pressure from spammers."2 Researchers are already managing to achieve a recognition rate of of nearly 90% of Gmail's CAPTCHA, 58% for Yahoo's CAPTCHA, and over 92 for Microsoft's CAPTCHAs.3 There are now programs available online that automate CAPTCHA attacks without requiring the user to possess cracking skills.2

The CAPTCHA system has been under assault by spammers for a long time, sometimes using very unique attack schemes. In October 2007, it was discovered that spammers were using a virtual stripper as bait to dupe people into solving CAPTCHA codes. A series of photographs showed a woman with progressively fewer clothes each time the user correctly entered the characters in an accompanying CAPTCHA which were snatched from Yahoo Mail's signup screens (see here for an example - screenshot safe for work). Prior to this there had also been past attempts by bot-driven malware to apply optical character-recognition technology to deciphering the squiggles and obscured letters, as well as work-at-home money mule schemes run by criminals hiring people to do this same thing.4 They will hire people for an hourly wage of $2.50 and the average worker will solve about six word puzzles per minute.5

Alternative methods are being examined to replace the CAPTCHA system. Asirra (Animal Species Image Recognition for Restricting Access) is a web service developed by a Microsoft Research team that works by asking users to identify photographs of cats and dogs. This task is difficult for computers, but user studies have shown that people can accomplish it quickly and accurately. The images are provided by animal shelters looking for people to adopts the animals (an "adopt me" link is placed beneath each photo).6

Others are promoting the use of computer generated three-dimensional objects in which the user is asked to click on a series of object features in order, such as "click on the hand, knee, and elbow of the person standing up".7

As Michael Barrett, the chief information security officer at PayPal, puts it "Captchas have gotten as good as they are going to get, and it is likely they are going to be slowly supplanted with a different technology that achieves the same thing... No single defensive technology is forever. If they were, we would all be living in fortified castles with moats."8

1. "Gmail: The Choice of Spammers?", InternetNews, July 9, 2008

2. "How CAPTCHA got trashed", Computerworld, July 15, 2008

3. "Gmail, Yahoo and Hotmail's CAPTCHA broken by spammers", ZDNet, July 3, 2008

4. "Spammers employ stripper to crack CAPTCHAs", Computerworld, October 30, 2007

5. "ReCaptcha: Reusing your 'wasted' time online", CNET, July 16, 2008

6. "MSR Asirra: A Human Interactive Proof", Microsoft Research, July 16, 2008

7. "The 3-D CAPTCHA", Michael G. Kaplan, July 16, 2008

8. "A Dog or a Cat? New Tests to Fool Automated Spammers", The New York Times, June 11, 2007