Spammers’ efforts to reach their prospective customers continue with increased creativity and complexity. From a spammer’s perspective, it is a challenge to figure out the ways to defeat security mechanisms that are being used and constantly improved by service providers to combat abuse of their services. This is clearly a long-term battle between service providers and spammers which has been on for a while now.
For the spammers, the entire attack strategy includes more than harvesting or registering e-mail accounts using Anti-CAPTCHA operations. It also involves operations like sending mass e-mails over the Internet; creating splogs and splogospheres; comment spam; infecting thousands of user machines; and stealing information. Their marketing business online is to occupy the network traffic and also improve their current advertising model and approach to reach customers with increased success over the e-mail, Web and Web 2.0 space. Spammers and malware authors execute their tactics with a unified strategy and constantly keep switching among those tactics, with an emphasis on improving their underground economy. The entire strategy is a continuous cycle, where every stage is an emerging trend or an execution phase inherited from the previous cycle(s).
During the past year, spammers and their recent developments have been targeting Microsoft services with a wide range of attacks.
Earlier this year (2008), as reported by Websense Security Labs, spammers defeated Microsoft’s CAPTCHA system targeting Microsoft’s Live Mail to sign up and create their accounts. Spammers widely used these accounts to advertise their products and services, and carry out a different range of attacks, using the trusted reputation of Microsoft’s Live Mail systems. Realising spammers were abusing Live Mail services, Microsoft improved the Live Mail account signup and creation process, while preserving their CAPTCHA system for usability.
Spammers then shifted their attention towards Microsoft’s Live Hotmail. Spammers targeted Live Hotmail services performing streamlined Anti-CAPTCHA operations, successfully signing up and creating Live Hotmail accounts. During this operation, spammers also focused on improving their automated Anti-CAPTCHA model, which provided them with faster turn-around times and increased success. The entire automated process comprised successful account signup, CAPTCHA break, account creation, and then mass-mailing within a single operation.
When Microsoft realised their reputation was being massively abused by spammers with increasing anti-CAPTCHA capabilities, they attempted to increase the complexity of their CAPTCHA system. This time the CAPTCHA system was revised in an attempt to both prevent automatic registrations from computer programmes or automated bots, and preserve CAPTCHA’s usability and reliability. It has recently been observed that spammers have revisited Microsoft’s new CAPTCHA system, and have once again broken it with their new, improved and automated Anti-CAPTCHA model.
By defeating Microsoft’s CAPTCHA system, and registering Live Mail or Live Hotmail accounts, spammers clearly aim to carry out a wide range of attacks (both manual and automated) on other services with which they are integrated.
All of these tactics clearly represent the execution phases of many spammers’ recent strategies. This entire ecosystem targeting Microsoft services shows the spammers’ mindset of developing an efficient system that can use Microsoft’s reputation to instigate successful spam advertising campaigns. Spammers and malware authors have also been targeting other popular e-mail, Web and Web 2.0 service providers with similar attacks to successfully carry out their operations.
Security issues are bound to arise when users are given privileges such as content creation, direct HTML editing, or uploading files and content distribution. These capabilities are often abused by spammers and malware authors to carry out various attacks, which pose a direct threat to Web 2.0 functionality. This necessitates continuous efforts by various Web 2.0 service providers to combat the abuse of their services.