reCAPTCHA is Toast

Over the past six weeks or so, one o my email accounts has been flooded with spam advertising phony Internet “pharmacy” sites and penis pill sites.

It still blows my mind to this very day that people actually give money to these folks and actually believe they are getting real drugs, rather than corn starch and food coloring, in return, but that’s a whole separate issue.

The spam I have been getting differs from the ordinary, garden-variety junk “pharmacy” spam I get in that all of it advertises URLs belonging to social networking sites. Each URL is a phony profile of a bogus user, whose user information is nothing but a redirector to a spam site.

I’ve seen this happen before. Usually, it happens when some naive person decides to set up a niche social networking site of some sort, like a social networking site for professional engineers who work in Third World countries or a site for some obscure band or something, but doesn’t know anything about security.

The Russians love people like that. Nearly all Internet pharmacy sites, even (especially) the ones that claim to be Canadian, are run by Russian organized crime. The various crime gangs use bots–computer programs that automatically scan through hundreds of thousands of Web sites per day, searching for small social networking sites. When they find one, they attempt to create phony users. If they succeed, the bot software will start setting up thousands, or even tens of thousands, of bogus users, all automatically, and stuff those bogus user profiles full of ads for the phony pharmacy sites.

So you’ll end up with some Web site that’s dedicated to fans of some Brazilian soccer team or something, and it will have 27,498 users with names like “BuyCheapTramadolHere.” Whenever you visit the user profile page for the site, you get redirected to the fake pharmacy. The spammers then advertise the URL of the Brazilian soccer team site in their spam emails.

This is why it is absolutely essential that anyone who sets up a Web site that allows users to sign up and create profiles must, absolutely must, use some kind of system to prevent bot software from creating phony profiles.


Enter the CAPTCHA–those weird squiggly lines of text that you have to type in in order to fill out many Web forms. The idea behind a CAPTCHA is that a computer program can’t read the words, so computer programs can’t be used to fill out the form.

Organized crime has spent a huge amount of money and time in trying to figure out ways to break CAPTCHAs. Some of the most cutting-edge work in computer optical character recognition is coming from Eastern European organized crime. (Some Web services, such as Gmail, are worth so much to organized crime–mail sent from a Google mail server is almost never blocked by spam filtering software–that organized crime gangs have been known to pay unemployed Third Worlders a penny or so apiece to sit in front of a computer typing in CAPTCHA codes all day.) Another strategy that criminals have used to defeat high-value CAPTCHAs is to do things like set up phony Web sites offering free porn to people if they type in CAPTCHA codes first.

In the past, whenever I have received spam advertising a URL or a redirector hosted on a social networking site, the social networking site isn’t using a CAPTCHA. That makes it trivial for the spammers to create phony accounts to act as redirectors to their spam sites.

CAPTCHAs are such a mandatory part of good Web practice that there are businesses whose sole business is providing CAPTCHA generation software or services to Web owners. One such business is a company called reCAPTCHA, which provides free CAPTCHAs for Web site owners. Hundreds of thousands of Web sites, including many high-profile sites like Craigslist, use CAPTCHAs generated by reCAPTCHA.

And that’s where things get interesting.


Back to my inbox.

Like I said, it’s been flooded lately. I’ve seen literally thousands of bits of spam all advertising bogus profiles on various social networking sites.

Unsurprisingly, many of them are hosted by Ning, the failed and woefully insecure social networking platform cofounded by ex-Netscape cofounder Marc Andreessen, and which today seems to serve primarily as a platform for spammers (as I’ve detailed here). The URLs in the spam look like this:

http://scaryguy.ning.com/profiles/blogs/detrol-detrol-la-homeopathic
http://myjumpspace.ning.com/forum/topics/zocor-zocor-similar-products
http://igotittoo.ning.com/profiles/blogs/cialis-professional-cheapest
http://morecoffee.ning.com/forum/topics/acai-fit-com-now-foods-acai
http://onelion.ning.com/forum/topics/desyrel-buy-cheap-desyrel
http://tvsbrasil.ning.com/profiles/blogs/namenda-tapering-namenda-buy
http://cincinnatiown.com/profiles/blogs/omeprazole-marijuana-and

So in other words, about par for the course for Ning; it’s a sewer of spam, and since it recently fired most of its staff, it’s unlikely ever to improve.

But a lot of the other URLs I’ve been seeing aren’t hosted on Ning:

http://celexa108s.mysoulspot.com/
http://www.design21sdn.com/people/52077
http://community.sgdotnet.org/forums/t/28066.aspx

Those three sites (mysoulspot.com, design21sdn.com, and sgdotnet.org) have been hit particularly hard which each of them currently hosting literally thousands or even tens of thousands of spam profiles.

I visited these and other social networking sites that kept popping up in my spam, expecting to see that they were not using CAPTCHAs to protect themselves from bot software signups.

But that isn’t what I found at all. Instead, what I discovered is that every one of the sites I’m seeing that’s being attacked, including the Ning sites and the social networking sites not related to Ning, are using reCAPTCHA as their CAPTCH provider.

All of them.

Which suggests very strongly to me that reCAPTCHA has been busted. Organized crime has written, I suspect, software that is effective enough at breaking reCAPTCHA protection that it is effectively useless.