With new automated tools to help them, spammers are getting better at cracking CAPTCHA
One breach has resulted in fake blogs on Google’s Blogger division, which may contain malicious code.
CAPTCHA — short for “Completely Automated Public Turing test to tell Computers and Humans Apart” — is used by many Web sites, including Google (NASDAQ: GOOG) and the Facebook social networking site, to protect their users.
By requiring visitors to enter distorted text into a Web form, it creates a bottleneck to mass mailings, thus making spamming unprofitable for cybercriminals.
Now they can crack CAPTCHA easily, spammers can get mass responses to their spams. They are posting blogs on Google Blogger that redirect victims to their own sites, and using fake Apple (NASDAQ: APPL) MobileMe accounts to send spam, according to MessageLabs, which provides messaging and Web security services.
Meanwhile, Khaty Shah, Apple’s MobileMe spokesperson, told InternetNews.com by e-mail that phishing is a problem for many service providers. Users can go to protect themselves from phishing, Shah said.
At press time, Google spokesperson said it was looking into the matter. “We expect spammers to use every means possible to try to send spam. That’s why we have a very robust spam-fighting effort at Google. We disable these accounts immediately and will continue to do so,” the company said.
MobileMe users who want to better protect their data can go here, Shah said.
Bubbling on Bebo
Maxim Shipka, senior architect at MessageLabs, told InternetNews.com that spammers are now focusing on the social networking site Bebo as a vehicle for their spams because it’s one of the 100 most visited Websites. “I think it’s a proof of concept, they want to find out how profitable Bebo will be for them,” he explained.
Bebo ranks 92 out of the top 100 sites. In Bebo, spammers include spam in buddy invites sent to other Bebo users, according to Shipka.
Using free e-mail addresses makes it harder to detect spam, because the reputation filters that spot spam compare the IP addresses of the computers from which e-mails are received against a list of known spammers. When an e-mail comes from a legitimate free e-mail service such as MobileMe, Gmail or Yahoo (NASDAQ: YHOO) Mail, it will pass the filter easily, even if it contains spam, Shipka said.
Apple, which has problems with MobileMe for weeks after its launch in mid-July, has been forced to provide a total of 90 days’ free access to the service to compensate users.
Yesterday, Apple quietly updated MobileMe. You can see the announcement here.
Other highlights of the RSA report — spam and virus attacks decreased between September and October, but phishing and the number of malicious Web sites increased. The number of malicious Web sites shot up by 48.2 percent, with 5,424 being blocked each day.
The global financial crisis sparked a boom in financial spam and phishing attacks, which increased 103 percent between September and October. “Scammers seek to take advantage of the confusion surrounding potential mergers and bailouts,” MessageLabs said.
Finally, in October, the Federal Trade Commission (FTC) froze the assets and halted the operations of what was described as the world’s largest spam gang by anti-spam organization Spamhaus. The FTC had received more than three million spam complaints linked to this operation, which is estimated to have sent billions of spam messages worldwide.
