CAPTCHAs – breaking into the shadow economy

Posted on behalf of Jason Zhang, Senior Software Engineer, Symantec Hosted Services
For many years, CAPTCHAs have proven very useful for many reputable, Web-based email and application service providers, including social networking sites and online auction sites, for the purpose of deterring automated registration. Nevertheless, cyber criminals have not ceased trying to defeat CAPTCHA-based protection.  
Since 2008, cyber criminals have found ways to break CAPTCHAs either automatically or by manual labour . Breaking them has unlocked the business potential of the so-called shadow economy for many criminals who stand to make a lot of money from the free email accounts they’ve been able to harvest from popular account providers through cracking the CAPTCHA system. Lust for CAPTCHA breaking stems from the desire to procure popular email or social networking accounts, which can be used to effectively distribute spam or malware. 
MessageLabs Intelligence has noticed that the amount of spam sent out from webmail accounts has been changing. The figure below shows the spam trends over the last six months (the smooth curve is polynomial fitted) and the spam percentage on the y-axis is calculated based on the 120 billion spam emails Symantec blocks per day. At the beginning of November 2009, webmail-generated spam accounted for about 0.5% of the total blocked spam, then one month later it increased to 1%, followed by a steady drop over the (continue reading...)