Archived Blog

Microsoft's CAPTCHA revolutions busted by spammers - again and again

02.15.2009 - 4:40 PM

Spammers have once again ramped up the siege on Microsoft's Live Hotmail services, by busting Microsoft's latest, redesigned CAPTCHA system.

Near the end of 2008, Microsoft reworked its CAPTCHA authentication, attempting to prevent further automatic registrations by computer programs and automated bots, and preserve CAPTCHA's usability and reliability. As the latest attack shows, those efforts have failed.

The spammers' attack strategy includes more than registering email accounts using anti-CAPTCHA operations; sending mass emails over the Internet; infecting thousands of user machines; and stealing information. Their strategy also includes developing a successful business model that focuses on advertising products and services, and reaching users with increasing success rates. Thus, spammers have been relying on the trusted reputation of Microsoft to carry out a wide range of attacks over the Internet.

Anti-CAPTCHA operations carried out by spammers to date can be clearly viewed as escalating steps in a persistent cycle. Every time Microsoft implements CAPTCHA changes to combat abuse of their services, the spammers adapt to those changes.

Spammers have increased the sophisticatation of their anti-CAPTCHA response with this latest attack. Previous anti-CAPTCHA operations consistently used automation (sign-up, CAPTCHA break, and account creation) that consisted of straightforward, templated command and control instructions. The latest attack uses automation with encrypted communication between spammer bot servers and compromised machines.

Let's see how this process is automated, step-by-step.

The bot installs itself as a service, and uses the Internet Explorer browser on the target (compromised) machine in the background for the entire process.

The CAPTCHA-breaking host or bot server initiates the process of injecting encrypted instructions (command and control) onto the compromised machine. This encrypted code includes templated sign-up instructions with the spammers' predefined credentials (Windows Live ID, password, First name, Second name, Country, and so forth), along with CAPTCHA-breaking instructions (image send and code receive).

The compromised machine or bot-infected client decrypts the instructions received from the CAPTCHA-breaking host or bot server. The compromised machine then performs the tasks defined in the instructions.

A process is initiated on the victim's machine, which connects to the Live Hotmail site to sign up for an account.

The bot continues to the secured Live Hotmail signup page, where the bot attempts to begin filling in all predefined credentials.

The compromised machine sends the CAPTCHA image request to the CAPTCHA-breaking host.

The compromised machine receives the scrambled CAPTCHA code from the CAPTCHA-breaking host, descrambles it, and completes the signup process successfully.

Notice that signup is successful, and the account is created using the credentials, per the instructions (in encrypted form) injected by the CAPTCHA-breaking host or bot server.

The bot repeats this process over and over: sign-up, break CAPTCHA, and successfully create an account.


1. As mentioned earlier, unlike previous anti-CAPTCHA attacks, the latest attack consists of encrypted communication between spammer bot servers and infected clients or compromised machines. Spammers have adopted these tactics with a mindset to secure their operations from being exposed or detected.

2. One out of every 5 to 8 attempts to break a CAPTCHA successfully signs up for a Live Hotmail account (a success rate between 12% and 20%)

3. In the current attack, the response time of the CAPTCHA-breaking host after grabbing a CAPTCHA image from a victim's machine, analyzing it, and responding back to the victim's machine with corresponding CAPTCHA code, ranges from approximately 20 to 25 seconds.

Websense predictions about this persistent and ongoing spammer strategy have been proving to be accurate. The spammers have been using these accounts for additional, random attacks that include sophisticated new methods (both manual and automated) over significant Live services integrated with Live Hotmail, such as Live Messenger (instant messaging), Live Spaces (online storage), and the like. A few instances of abuse can be seen here.

CAPTCHA-based authentication is used by various service providers to prevent automated software from performing actions that degrade their function and their quality of service, due either to abuse or resource expenditure. Although continuous efforts are made by various service providers to combat the abuse of their services, the spammers, phishers, and malware authors carry out various attacks over these services, proving the abusive authors' adaptability, and creating an iterative cycle in the email and Web security arena.

Security Researcher: Sumeet Prasad

Bookmark This Post: