Russian Slave-labourers Crack Gmail CAPTCHAs

By Greg McNevin

March 18, 2008: While the arms race between security companies and hackers continues, evidence is beginning to surface that cyber criminals are increasingly turning to slave labour to perform basic cracking tasks.

According to a New York Times interview with Google software engineer Brad Taylor, evidence suggests that Gmail’s captcha (the jumbled letters users have to identify to create an email account) is being broken by low-paid Russian workers.

Taylor when spam accounts are discovered, they are increasingly finding recurring factors between the accounts in certain parts of the world. “You can see it is clearly done by humans,” Taylor told the NYT. “There are patterns in the rate we find bogus accounts, like at night time and when people get off work.”

Taylor’s assertion is backed up by the security firm Websense’s February discovery of a Russian website it identified as a CAPTCHA breaking host, with instructions on how to process the jumbled text and get paid – US$3 a day – for it.

“If you are unable to recognize a picture or she is not loaded (picture appears black, empty picture), just press Enter. In no case do not enter random characters! If there is delay in downloading images, exit from your account, refresh the page and go again,” reads the site according to Websense’s translation.

Once cracked the Gmail accounts are put into immediate use by spammers, whose dodgy emails can be more difficult to block because Gmail is considered to be a reputable service by world standards.

There is some speculation that the workers may be using a partially automated service to speed up the account creation process, and even feed their answers back into another process to improve automated CAPTCHA cracking technology.

Comment on this story