Researchers have discovered a malware engine that appears to be able to break the CAPTCHA security used by Yahoo's webmail service after only a handful of attempts.
There is nothing new in malware that tries to break CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) – a low-level war has been ongoing since this type of security was first implemented almost a decade ago – but what matters is how quickly and invisibly this can de done.
Websense has posted an online video showing the effectiveness of the engine it found working as part of the Cridex banking Trojan malware in breaking down Yahoo’s CAPTCHA process.
Cridex itself is a traditional if rather dangerous login harvester that targets online banks and social media sites from victim PCs, uploading stolen data to a command and control server.
In that it resembles longer-established banking malware such as Zeus. But a key element of any malware is the way it tries to spread itself to new victims and the Cridex systems discovered by Websense does that by using infected PCs as proxies to create new webmail spamming accounts.
The webmail element of Cridex first fills in the registration form using dummy data before sending snapshots of the Yahoo CAPTCHA screen to a remote cracking server, which attempts to decipher the text.
If the returned CAPTCHA fails, the malware initiates the remote server to keep trying until it gets the correct answer. In the Websense test, the malware got the right answer after five failed attempts, a remarkably good success rate when taken over large numbers of infected machines.
The innovation here is twofold. First, Cridex would appear to have a CAPTCHA-cracking engine that can break webmail security quickly, assuming the six-attempt demo is typical. Websense doesn’t say but the remote server will be running a tweaked version of the image and text processing optical character recognition (OCR) systems that are elsewhere used for legitimate purposes.
A second and perhaps important advantage is that despite being cumbersome (the criminals need to move screen captures to and from a remote server) the CAPTCHA breaking is done using a legitimate PC in a trusted domain rather than from a criminal server that might be quickly blocked.
Once the fake Yahoo account has been set up the window in which it will be able to spam before being detected is probably very small, but that just makes it imperative that the malware generates fresh accounts as rapidly as possible.
The ability of malware operators to break CAPTCHA systems quickly has been an area of research for some years with a recent University of British Columbia study showing that Facebook could be fooled in 80 out of 100 attempts.
A handful of companies have grown up around CAPTCHA security which usually works by making the process more compute intensive for criminals. Examples of this include a system from NuCaptcha than incorporates video. The problem remains that while these systems undoubtedly deter anti-CAPTCHA servers, they also risk adding overhead for the webmail systems too.