Spammers break BlogSpot CAPTCHA, load up on garbage sites
The weary war against net scum continues, as Google's much-abused BlogSpot service finds its CAPTCHA tech hamstrung and malicious Web sites spread like stinkweed.
The October report from MessageLabs (PDF available here) confirms what blog aficionados had suspected for several weeks: Spammers have figured out a way to get around certain implementations of CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) and thus abuse BlogSpot as well as CAPTCHA-guarded e-mail services such as MobileMe.
Google's track record with CAPTCHA is not so impressive in recent months. A similar breach involving Google Sites' implementation turned up in MessageLabs' monthly survey back in July, and Gmail's CAPTCHA was popped back in February -- in part, as security researchers at WebSense discovered, because spammers utilized humans to supply the data that led to automated cracking abilities.
Before that, though, Google's use of the squiggly-word images for differentiating between spambots and humans was fairly effective -- in fact, as Google chose to implement it, more effective than that used by either Windows Live Mail or Yahoo.
With MobileMe cracked, spammers can diversify their approaches. MessageLabs spotted MobileMe addresses used to send recipients BlogSpot links, which in turn open onto sites for whatever foolishness is being spam-peddled, but they also saw MobileMe addresses used to trick social-network users into thinking they've gotten buddy requests. The "buddies" are of course fake -- but the pages they build on such sites at Bebo.com sometimes turn up in Google searches, thus propagating the problem.
Sites harboring malware, spyware and adware proliferated in October, with MessageLabs reporting an average of 5,424 new trouble sites every day. That's an increase of over 48% since September and may also reflect the CAPTCHA breakdown.