Websense said that spammers have created a bot that breaks the Live Mail service's CAPTCHA function, which is the distorted, scrambled character codes used by numerous web operators to block the automatic registration of accounts. Most importantly, CAPTCHA capabilities stop spammers from creating thousands of accounts that could be used to send subsequent spam attacks.
Websense blog posting noted that the bot captures the CAPTCHA code, which is an image rather than plain text, and sends it to the spammer's server. The server reads the image and generates a clear text match sent to Live Mail which is then entered into the field where users normally type the CAPTCHA characters to create the new email account.
On average, Websense said, the spammers are successful in breaking the CAPTCHA code up to 35 percent of the time.
Exactly how spammers are hacking the captured CAPTCHA code is unknown, according to Websense. The attackers could be using optical character recognition (OCR) or one of the CAPTCHA code-breaking tools, which are available online.
Web-based email services, such as Windows Live Mail and Yahoo! Mail, are prime targets for spammers for several reasons, Websense said. Not only are they free, their domains are "unlikely to be blacklisted" by anti-malware tools. Also, email accounts from these services are "hard to keep track of as there are millions of users worldwide.”
"Websense believes that these accounts could be used by the spammers at any time for a variety of social engineering attacks in the future," the blog posting stated, adding the accoounts could be used in a "wide range of attacks" using the same account information in conjunction with other online services offered by Microsoft, including the company's Windows Live Messenger instant messaging and Windows Live Spaces online storage services.
Microsoft indicated it is aware of public reports regarding CAPTCHA being bypassed by malicious attackers. “This issue is under investigation,” a Microsoft spokesman told SCMagazineUS.com. “To our knowledge, there has been no customer impact. Windows Live Messenger customers are not the target of the reported attacks.
"Additionally, CAPTCHAs for account signups is just one of the many tools Microsoft uses to prevent abuse of its networks,” the spokesman added. “The company uses a blend of approaches to prevent abuse of our networks by spammers.”
See original article on scmagazineus.com
Microsoft's Windows Live Mail security cracked
By Jim Carr on Feb 12, 2008 9:43AM