News Stay informed about the latest enterprise technology news and product updates.

Gmail CAPTCHA cracking leads to spam surge

Spammers have created large numbers of Gmail accounts by sneaking around the CAPTCHAs designed to block automated sign-up tools, according to a new report.

Spammers are creating huge numbers of Gmail accounts and using them to multiply their message blasts by circumventing the test Google uses to neutralize automated sign-up tools, according to a report from security vendor MessageLabs.

If spammers have solved the CAPTCHA problem that's bad news because so many sites use this to prevent spam and keep sites safe.
Matt Sergeant,
senior antispam technologistMessageLabs

MessageLabs monitored a surge in spam originating from Google Gmail accounts at the end of February. Matt Sergeant, a senior antispam technologist for the company, said the uptick indicates that spammers have found ways to sneak past CAPTCHAS (Completely Automated Public Turing Test To Tell Computers and Humans Apart), which are designed to defend against automated sign-up tools by requiring the user to enter the letters to validate that a human is requesting the account.

Entities such as Yahoo and Hotmail also use CAPTCHAs, and if spammers have indeed found ways to circumvent the mechanism, it signals a dangerous trend for the Internet as a whole, Sergeant said.

"If spammers have solved the CAPTCHA problem that's bad news because so many sites use this to prevent spam and keep sites safe," he said. Also noteworthy is that the bad guys like to use big companies like Google as human shields, he said, adding, "You can't blacklist Gmail or Hotmail because so much legitimate email comes through those. Everyone gets upset if their email is blocked, so now you have to drop down into content filtering, which is more difficult than blocking an IP address."

He said there are two ways to cheat a CAPTCHA program. The spammer can hire the services of "mechanical turks," individuals who manually create accounts or who are presented with the CAPTCHAs to solve using a software interface. Or the bad guys can cook up an algorithm to crack the CAPTCHA computationally. An algorithm-based attack is very scalable once a reasonable level of accuracy is achieved, Sergeant said.

MessageLabs research suggests such algorithms are 20-30% successful. Combine such algorithms with the computational horsepower of a botnet and the attacker can create as many email accounts as he or she wants. They could also combine the different approaches using "mechanical Turks" to solve the CAPTCHAs initially while growing a database of successful and failed attempts that can be used to train, test and tune an algorithm under development. As the success rate increases, the attackers can reduce or eliminate their use of expensive mechanical Turks and turn to a botnet-powered operation.

In the final analysis, the use of Yahoo, Hotmail, MSN and Google Web mail-based services to send spam accounted for around 4.2% of all spam last month, a decrease of 1.5% from January. Of that figure, Yahoo's services appear to be the most abused, but researchers also observed a two-fold increase in spam traffic from Google between January and February. Further analysis of this spam suggests it almost exclusively relates to adult-orientated websites.

Sergeant said his company has been in touch with the search engine giant. "Google is very much aware of this issue and is working on it," he said. "They can simply shut down accounts as fast as possible when suspicious stuff is detected, but with botnets, spammers can sign up from many different places, which makes this a difficult problem to solve."

Google spokesperson Megan Lamb said in an email, "Using Gmail to send spam is a violation of the program policies in our terms of service. We disabled these accounts immediately and will continue to do so if they spread."

Dig Deeper on Email and Messaging Threats-Information Security Threats

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.