back to article Webmail-creating Trojan targets Gmail

A strain of malware capable of setting up bogus Hotmail and Yahoo! accounts in order to send spam has been adapted to also target Gmail accounts. The HotLan Trojan creates automatically-generated webmail accounts, implying that spammers have discovered a means to defeat Captcha challenge-response systems. Captcha systems, …


This topic is closed for new posts.
  1. James Broomfield


    What about kitten based captcha, shurely the only way forward now!

    Choose the kitten amongst the puppies. It would take some serious coding to get through that.

  2. Ralph B

    A Compromise?

    You know, if spammers were happy to use just Hotmail and Yahoo accounts to spam just other Hotmail and Yahoo accounts, then I think I could probably live with that.

  3. Sabahattin Gucukoglu

    And So ...

    we are left wondering just how these CAPTCHAs are defeated. Is it the image that can be analysed? Is it the audio that can be deobfuscated? Come on, we need to be told!



    PS: We always knew it would happen. I cannot help be glad, seeing as how I'm among the group of people continually being frustrated by these bloody things (I'm blind). The audio is always terrible, and there have been options for much less intrusive and much less discriminating CAPTCHAs (all useless when presented by a mass-recruited human element, of course). Nevertheless, it's so that for a long while these tests were thought sufficiently deterring, and so I can't help wondering whether some much more fundamental flaw in these web apps is the actual cause of the breakage, rather than the CAPTCHA itself.

  4. toby powell-blyth

    Another suggestion

    Why not have graphical captchas which require a good understanding of english. Mensa tests have things like:

    Hot is to cold as daft is to....

    Or, going with the catz thing, how about "How many happy faces are in this picture". Sorry for that small minority among us who cannot recognise emotions.

    I don't understand why ISPs cannot, from a centralised authority list, block access to the server that is providing the decryption of the captchas.

  5. Morely Dotes


    "I don't understand why ISPs cannot, from a centralised authority list, block access to the server that is providing the decryption of the captchas."

    Such servers are usually located in Romania, China, Turkey, or another country that doesn't give a rat's red patoot about what crimes are committed with the complicity of their ISPs, so long as plenty of dollars are generated by them. As a result, the ISPs are hotbeds of malicious activity.

    My solution is to firewall off all IP space assigned to such nations. Most ISPs would not be so draconian - which is why the malicious ISPs remain unquarantined.


    It doesn't need to be programmatic...

    One method of bypassing CAPTCHAs, without needing complex programming, is to take the image being shown and to present this to someone else on a website that is owned. For instance, let's say there is a spammer who owns hundreds of generic porn sites that get lots of traffic. When attempting to view an image or a video or whatever, the user could be presented with a CAPTCHA that they must solve. Unknown to the user, however, is that this CAPTCHA actually originated from a spam-bot that needed it to be solved in order to sign up for an account on a legit site. In other words, it uses human-power to solve the CAPTCHAs from humans that otherwise don't know what they are actually helping to contribute to.

    Another method could be to use humans who DO know what they are contributing to. Imagine a shop full of under-paid and/or under-age workers in some foreign country, solving CAPTCHA after CAPTCHA after CAPTCHA. Although this scenario is possible, it wouldn't be as effective as the method explained previously, that still uses human power, but from unsuspecting humans.

  7. Dillon Pyron

    Multiple images

    I recently saw a system that used six images in a 2x3 array to form the characters displayed. It only worked if all 6 images were up there. Yes, you can still use some 12 year old making 10 cents an hour in some fourth world country to solve it, but it makes the computed solution very difficult.

    Using the pr0n suffer solution depends on having someone handy (pun not intended) at the time.

    But ...

    Let's do the math. You pay a kid 10 cents an hour. He/She solves 60 Captchas an hour. That's 60 drones who each send 5000 emails before getting shutdown (I'm being generous to Gmail). If they get a .1% hit rate at $25 profit, that's $7499.90 after operating expenses. But let's call it .01%. That brings it down to $749.90. And since you're "working" 24x7, that turns into a boat load of money. I'm in the wrong business. And that's from one kid (probably 2, two tweleve hour shifts, I'm a benevolent employer).

  8. Grant Bearman

    Programmatic and fun

    Another scenario that could work:

    The garbage set up a website - lets call it "Eye Games".

    You are presented with a set of images and try to decode them to achieve a best time with highest accuracy (feedback from the account-creating engine would give you the accuracy part). User scores are posted to keep things interesting and get players to return for more.

    New images every time. Captcha images.

  9. Stephen

    "Pick the kitten" doesn't work

    A multiple choice option such as "pick the kitten from the puppies" won't work, because the limited number of options makes it worthwhile to guess. If there's one kitten and four puppies, for example, that's a 1 in 5 chance of success - it's trivial for a trojan to keep trying until it guesses correctly.

    More importantly, there are already WAY too many pictures of kittens on the internet, so we don't need anything that would make the situation worse.

  10. Anonymous Coward
    Anonymous Coward


    You will be pleased to know Microsoft have already pioneered this -

  11. Anonymous Coward
    Anonymous Coward

    Captchas are trivially defeated

    Honestly, the method of defeating captchas is widely known and has been circulating for years.

    Take the image, put it as entry captcha on a "free porn" website, take the result provided by the dribbling moron wanting free skinpics and pass it back to the website.

    On average you'll be able to decode at least one image per minute, not that most websites use timeouts on captcha challenges.

    This is NOT a theoretical attack.

  12. Anonymous Coward
    Anonymous Coward

    we need more sex

    seriously, as a guy said in a movie, "the problem of this country (let's say world) is that we don't have enough sex". that makes us all act stupidly and spend hours and hours in pr0n sites looking for the taboo. Let's get sex, and we won't need pr0n sites, those bastards won't use people for their captchas, they won't be able to send their damn spam (which won't be as much, since they won't be sending the "i'm alone at home, wanna meet me?"-kind-of messages), and we're done. problem solved!


    PS: I wish spammes and scammers would just die... a painful and slow death, but die.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021