washingtonpost.com
Digital Deception
With a test, Web sites let people in and keep out computers set to unleash spam attacks. Now, computers are cracking the code.

By Peter Whoriskey
Washington Post Staff Writer
Thursday, May 1, 2008

Are you a human or a computer?

Over the Internet, it's getting harder and harder to tell.

Some of the common tests used by Web sites to distinguish between legitimate flesh-and-blood visitors and malicious human-mimicking computers recently appear to have been outwitted.

Last month, the human verification tests, which typically require users to identify deformed letters set against a cluttered backdrop, were broken by a computer. The computer then repeatedly created free Hotmail e-mail accounts and sent spam from them, according to Websense, the security firm that detected the hacking.

The attack followed similar ones this year against Microsoft's Live Mail accounts and Google's Gmail service. A little over a week ago, the security firm reported a similar attack on Google's Blogger, a blog publishing system.

"What we're noticing over the last year is that these tests meant to tell the difference between a human and a computer are being targeted by more and more malicious groups," said Stephan Chenette, manager of security labs at Websense, the firm based in San Diego that reported the attacks. "And they are getting better at it."

Spam, or unsolicited e-mails containing offers of Viagra, Rolex watches, pornography and the like, are the ultimate aims of such schemes. Solving the human verification tests with computers allows spammers to rapidly create new e-mail accounts from which to issue spam, which is estimated by Ferris Research to cost the U.S. economy $42 billion annually.

The problem of telling computers and humans apart has a long tradition in artificial intelligence theory.

In a landmark paper in 1950, British mathematician Alan Turing proposed that a machine could be said to "think" if it could carry on a conversation -- via teletype -- in a manner that was indistinguishable from a human.

But the practice of distinguishing humans from computers has taken on a far more practical role in the Internet age.

Anyone who has signed up for an e-mail account, bought show tickets or created a free blog, is likely familiar with these modern tests of humanity: they ask visitors to identify a string of wavy, deformed letters.

The letters are supposed to be impossible for computers to read in the time allotted but relatively easy for humans.

"The free e-mail accounts and blogs are like gold to the malicious attackers," Chenette said. The reason is that spam filters are less likely to block items from these free services.

One of the first such tests was developed by Yahoo, which was having trouble with malicious computers signing up for the company's free Webmail service. They dubbed the tests CAPTCHAs, an acronym with a nod to Turing: "Completely Automated Public Turing Test to Tell Computers and Humans Apart."

Yahoo's initial system, however, was quickly hacked by computer scientists who programmed their computers with optical character recognition systems to solve the visual riddles.

To improve their system, Yahoo changed their puzzles from words to random letter strings and set the letters against more background clutter.

"I'd like to think we could break the current version, we just haven't tried," said Greg Mori, one of the scientists who broke the initial Yahoo CAPTCHA.

Now a computer science professor at Simon Fraser University in Vancouver, Mori says he still gets inquiries from spammers once a week asking whether he could help program a computer to solve CAPTCHAs. He declines.

The latest reported CAPTCHA attacks were not carried out by academics, but by spammers, however.

They were reported by Websense, which deploys thousands of decoy computers around the world -- which they call "honey pots" -- to attract such attacks.

The attacks on Google's Gmail service and on Microsoft's Live Mail were reported in February. At the time however it was difficult to tell from the evidence whether the CAPTCHAs were being solved by computers or low-wage Russian workers -- or both.

A Web page found on the computer appeared to offer, in Russian, small amounts of money for workers willing to crack the puzzles.

But the speed and repetition of the attack as well as the high error rate in solving the tests, suggested to some at Websense that computers not humans were at work.

Asked whether the Google CAPTCHA had been cracked by computers, the company issued a statement: "We still believe there is human involvement."

The attack that most clearly signals that computers were solving a CAPTCHA came about a month ago, when Websense detected what appeared to be some malicious traffic from one of its "threat-seeker" honey pots.

Once it attracted the malicious code, the decoy sought repeatedly to create Hotmail accounts.

Over and over, when it was presented with the Hotmail CAPTCHA, it sent the letter puzzle to another computer. That computer would respond within about six seconds, a speed that leads computer analysts to think the CAPTCHA was being cracked by a computer, not a human.

The fact that as many as 9 of 10 sign-up attempts failed, moreover, further suggests that a computer, not a human, was at work.

"The incident . . . is most likely an example of a machine-based attack," a Microsoft spokesperson said in a statement.

Microsoft and other Web companies say they are interested in creating human verification tests that are harder for computers to crack. But there's an inherent difficulty.

Making the tests harder for the computer makes them harder for humans, too.

View all comments that have been posted about this article.

© 2008 The Washington Post Company