Skip to content

CAPTCHA busting -- A sucker born every minute

I have a small phpBB2 forum attached to this site, that I used briefly to support some of my side projects. phpBB has had a checkered past in terms of security, having been the victim of many exploits. To be fair that's one of the costs of having been one of the first and most widely successful php based community projects. The number of phpBB deployments is staggering even to this day. With so many forums out there, spammers quickly figured out that if they could write a bot to create an account and auto post messages, they'd be able to spread their spam messages far and wide. I was getting so much spam, I ultimately disabled the ability of people to authenticate their own accounts, and despite this change, still see as many as ten new signups for the forum every day. Who would bother to sign up for an account they can't use? There had to be a way of determining the bots from the humans who wanted to post to my forum.

CAPTCHA, as the conventional wisdom of the day was concerned, would provide a useful deterrent to this annoyance -- bots arent' smart enough to decipher the captcha images and extract the right combination of numbers and letters depicted in the image, and type them back to into the form in order to unlock the account. Without the account, the spammers couldn't have their bots post their spam messages. While phpBB introduced a CAPTCHA capability relatively late in the game, it is now something you get out of the box, and there is at least one mod that improves on the quality of the CAPTCHA image, which is to say, makes it harder to read.

The problem is that CAPTCHA's are there to defeat dumb machines, but not dumb humans. And as the old saying goes, there's a sucker born every minute who is more than happy to help your local spammer defeat the CAPTCHA image on your site. How might you ask? Well, the scam works something like this: John Q. Sucker visits some site that informs him he's getting something for free -- it could be a free ipod, porn, or an xbox 360. All that is important is that this person believes they will be getting access to this free stuff once they register.

They visit the spammer's site, and are presented a CAPTCHA image in order to register, only, this image didn't come directly from the spammer's site -- it came from YOURS. The spammer writes a simple bot that goes to your site and hits the registration page. It takes the CAPTCHA image your site provided, and presents it to John Q. Sucker on the spammer's site.

John Q. Sucker, believing he's unlocking access to that free stuff, deciphers the image and types in the letters into the spammer's site. Now the spammer's bot, takes the input and posts it to your site. Your CAPTCHA has been defeated, and there was no fancy image analysis software required. The person on the phpBB forum who first described this scam in a post I read, indicated that typically the spammers will "fail" on their site 2 or 3 times. John Q. Sucker assumes he mistyped, so he'll go at it again, only this time he's adding a new account to your site, or possibly adding on to someone else's. It's for free stuff remember?

Expect to see registration processes become significantly more difficult as programmers come up with ways to counteract this strategy. The same person who described this scheme, suggested that initially a lot of sites are turning to watermarks on the CAPTCHA images, hoping that John Q. Sucker will realize that something is up, when they see that the image has nothing to do with the spammer's site, and figure out that something is fishy. I don't hold out as much hope for the great clueless masses that populate the crevices of the internet underbelly. In the short term, a more effective approach may be aimed at defeating the very thing that makes this exercise worthwhile for the bot writers -- namely ubiquity by default. What makes this worth doing for the spammer, is that a bot can harvest a large database of small sites, and use the same bot script to exploit them all. Even small nuances that make your site behave differently can defeat bots that aren't sophisticated. Any variance on the standard out of the box behavior is probably enough to defeat the bad guys, assuming that your site is just one in a huge database of sites. I leave it to you to contemplate the modifications you might want to make to the registration process -- but this is one place where the hassle of modification now can save you a lot of time disabling accounts and using the moderation tools to remove unwanted spam messages from your forums.


Defined tags for this entry: ,

Trackbacks

swisto.info on : PingBack

Show preview

www.hackint0sh.org on : PingBack

Show preview

Comments

Display comments as Linear | Threaded

No comments

Add Comment

Pavatar, Gravatar, Favatar, MyBlogLog, Pavatar author images supported.
BBCode format allowed
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
Form options