Archived Blog

Google’s 'Blogger' under attack by streamlined Anti-CAPTCHA operations for spam

04.24.2008 - 11:11 AM

Websense Security Labs ThreatSeeker™ technology has discovered that spammers, in their recent tactics, have targeted Google’s well-known blog publishing system “Blogger” aka “Blogspot”, following the streamlined Microsoft’s Live Mail Anti-CAPTCHA, Google’s Gmail Anti-CAPTCHA and Microsoft’s Live Hotmail Anti-CAPTCHA operations.

Spammers have managed to create automated bots that are capable of not only signing up and creating Blogger accounts (using spammer account credentials), but also use these accounts as redirectors and doorway pages for advertising their products and services.

For spammers, there could be four main advantages to this approach:

1. First, they are free to sign up.

2. Second, these (blogspot) accounts can be used as redirectors or doorway pages to spammers’ domain(s). Spammers include these redirecting accounts in different spam campaigns rather than including their actual spam domains. Spammers use this tactic to defeat a range of anti-spam services.

3. Third, these redirecting or doorway page accounts can be used in multiple mass-mailing campaigns for subsequent attacks.

4. And fourth, it may be hard to keep track of accounts as millions of users worldwide are using Google’s Blogger services on a regular basis.


In the current attack, accounts using anti-CAPTCHA operations at Blogger get registered, and few lines of script or code is used to refresh the account, thus directing the user to the actual spam domain. Let’s see the entire automated process in two stages.

Stage 1: Predefined instructions from the CAPTCHA breaking host injected on to bot infected or victim’s machine.
Stage 2: Bot infected or victims’ machine performing tasks are per pre-defined instructions (as in Stage 1).


Stage 1: Predefined instructions from the CAPTCHA breaking host injected on to bot infected or victim’s machine, in action.

Part 1: Observe the CAPTCHA breaking host initiating the process of injecting instructions on to victim’s machine.

Part 2: Observe the injection of instructions with spammers’ credentials in progress.

Part 3: Observe the CAPTCHA breaking instructions injected on to victims’ machine.

Part 4: Observe the Post-Anti CAPTCHA instructions injected.

Part 5: Observe the spammer instructions performing validation of entire process.

Stage 2: Bot infected or victims’ machine performing tasks as per pre-defined instructions (as in Stage 1), in action.

Part 1: Observe the process initiated on the bot infected or victims’ machine, progressing on to Google’s blogger.com for account signup.

Part 2: Observe the bot progressing on to Google’s Blogger signup page.

Part 3: Observe the bot infected or victims’ machine sending the CAPTCHA code request to CAPTCHA breaking host.

Part 4: Observe the CAPTCHA code (replied) sent from CAPTCHA breaking host to victims’ machine for account creation.

Part 5: Observe that created account credentials are used for a successful login, and are ready for blogging.

Part 6: Observe the blog created and published.

Part 7: Entire process in action.

Spammers finally have success advertising their product at this level. Observe the java script that redirects account to spam domain.

Observations:

Stage 1:

1. Predefined instructions injected on to victim’s machine are used as templates, with varying account credentials and spam domain redirecting script.

2. Spammers are trying to improve the Anti-CAPTCHA techniques. To assist this process they perform validation checks and reports are sent to their email addresses. Observe figure 1.5 in Stage 1.

Stage 2:

1. One in every 8 to 12 attempts is successful in signing up and creation of accounts. Hence the success rate ranges between 8% to 13%.

2. In the current attack, the response time of CAPTCHA breaking host after grabbing a CAPTCHA image from a victims’ machine, analyzing it, and responding back to victims’ machine with corresponding CAPTCHA code is approximately 35 to 36 seconds.

Websense believes that these accounts could be used by the spammers at any time for a variety of social-engineering attacks, a trend that has been increasingly common with various popular Web 2.0 sites. An illustration of this spammer tactic where in Google services increasingly used in SPAM runs, was reported by Websense, in the recent past in one of the security blogs.

Security Researcher: Sumeet Prasad

Bookmark This Post: