A CAPTCHA bypassed in just 6 seconds? That’s just what happened on MSN’s Hotmail and by automated bots, no less.

Websense posted up its discoveries on its security blog, reporting that spammers have created automated bots to bypass Hotmail’s anti-spam CAPTCHA method. Not only are the bots capable of signing up for Hotmail accounts, they cane used for spamming from other Live Hotmail services. Imagine, now spammers can have access to Spaces or your MSN IM.

Four advantages for spammers to secure a Hotmail account are underlined by Websense:

1. Microsoft’s domain won’t be blacklisted

2. Hotmail is free

3. Hotmail’s integration with other Windows Live services

4. The millions of users worldwide using Hotmail that makes it hard to track the occasional black sheep

The screenshots shown on the blog about how the bot uses an unsuspecting person’s browser are interesting and a wee bit chilling. A bot can get on an unsuspecting person’s machine, use information from the victim’s machine to generate random names, then create Hotmail accounts in the background. The bot will also contact an anti-CAPTCHA host to break the CAPTCHA used to signup. Once the account’s registered, the bot will then randomly select any of the random accounts it created to spam people’s inboxes with your daily Viagra mailers.

According to Websense, one in every 8-10 attempts is successful making the success rate between 10 – 15% and for every successful CAPTCHA breaking attempt, the time taken is a mere 6 seconds. It wouldn’t be surprising for spammers to hijack actual legitimate Windows Live users accounts and use them in social engineering attempts, the latter which Websense predicts will happen in future.

Related:

Entry was posted on Wednesday, April 16th, 2008 at 4:08 am under Microsoft, Security.

Read more entries by Erna Mahyuni.
Stumble It!