Spammers employ humans to break email tests

Spammers making use of free email suppliers, using Indian workers to break CAPTCHA security

Matthew Sparkes
9 Apr 2008

Spammers are employing human workers to sign up for thousands of free email accounts from which to distribute phishing emails, claims a new report.

The report, from TrendLabs, claims workers in India are being used to solve the CAPTCHA tests (Completely Automated Public Turing test to tell Computers and Humans Apart) during registration for free online email accounts. At least one large supplier of free accounts has been heavily targeted, claims the company.

Although there are existing algorithms that allow computers to solve the tests around a third of the time, human workers can approach 100% accuracy.

"The cybercrime industry is no longer the reserve of individuals, but that of organised gangs with large amounts of cash available to them. By employing people to solve the CAPTCHA problem, for as little as £2 or £3 a day, cyber criminals have access to millions of registered accounts," says Rik Ferguson at Trend Micro.

"These accounts are then used to send millions of spam messages with the aim of infecting users with a variety of malware, such as a keylogger that intends to solicit personal information such as banking information or passwords."

Registration is undertaken by automated bots, but the CAPTCHA portion of the process is sent to paid workers before the bot finishes the registration. That account can then be used to send spam emails to thousands of users.

There have been previous attempts to trick unpaid users into solving CAPTCHA tests on behalf of spammers, including programs that rewarded the user with pornographic images after each test.

Read more about: