CAPTCHA Social Engineering Experiment
- joebert
- Sledgehammer
- Joined: Feb 10, 2004
- Posts: 13455
- Loc: Florida
- Status: Offline
November 30th, 2008, 9:58 pm
I was thinking about how hard CAPTCHA images are getting to read these days and I had an idea.
I did a Google search for
I gathered the domain names of the first 50 results that did not have a "translate" link next to them, meaning they were likely to speak English.
I took a minute to generate a comma-delimited list of "support@domain" style email addresses from the list, and added that to the BCC field of an email I sent to myself.
The contents of the email was as follows.
Now, this is something I could write a script to do for me, hell it only took me maybe 15 minutes to do this for the first time by hand.
About 5 minutes after I sent the email I immediately received thirty 550 delivery status failure notifications because there was no "support@~" mailbox registered, and I got an email requesting that I fill out an extremely simple CAPTCHA to confirm I was a human.
Maybe 5 minutes after that I received an email with a link to a registration form that didn't have a CAPTCHA along with an assurance that if I was still having problems they would set it up manually for me.
After another 5 minutes I got an email with the username I requested and a password to use.
So out of those 50 addresses, I got two (4%) that would help me bypass a registration CAPTCHA. And there's still about 15 or so addresses that haven't responded in any way so far.
Now, it wouldn't be hard to have a script do a whois for each domain and gather the administration or technical emails instead of using a generic support@~
I really don't want to push it, so I'm not going to do any more than those original 50 emails, but I can't help but wonder just how many people unknowingly open the doors for spam bots on their forums like this.
I did a Google search for
Code: [ Select ]
inurl:"register.php" inurl:forum
I gathered the domain names of the first 50 results that did not have a "translate" link next to them, meaning they were likely to speak English.
I took a minute to generate a comma-delimited list of "support@domain" style email addresses from the list, and added that to the BCC field of an email I sent to myself.
The contents of the email was as follows.
Quote:
Hello,
I'd love to register on your forum, but it has taken me less time to dig
up this email address and complain than it was taking me to figure out
what the heck that CAPTCHA image says.
I'd like to register using the name "mrjoebert",
my birthday is July 4th 1981,
my email address is this one, "the email this was sent from"
Is there any chance someone could finish the account setup for me and just
send me an activation email I can click or something ?
Thankyou,
Joe
I'd love to register on your forum, but it has taken me less time to dig
up this email address and complain than it was taking me to figure out
what the heck that CAPTCHA image says.
I'd like to register using the name "mrjoebert",
my birthday is July 4th 1981,
my email address is this one, "the email this was sent from"
Is there any chance someone could finish the account setup for me and just
send me an activation email I can click or something ?
Thankyou,
Joe
Now, this is something I could write a script to do for me, hell it only took me maybe 15 minutes to do this for the first time by hand.
About 5 minutes after I sent the email I immediately received thirty 550 delivery status failure notifications because there was no "support@~" mailbox registered, and I got an email requesting that I fill out an extremely simple CAPTCHA to confirm I was a human.
Maybe 5 minutes after that I received an email with a link to a registration form that didn't have a CAPTCHA along with an assurance that if I was still having problems they would set it up manually for me.
After another 5 minutes I got an email with the username I requested and a password to use.
So out of those 50 addresses, I got two (4%) that would help me bypass a registration CAPTCHA. And there's still about 15 or so addresses that haven't responded in any way so far.
Now, it wouldn't be hard to have a script do a whois for each domain and gather the administration or technical emails instead of using a generic support@~
I really don't want to push it, so I'm not going to do any more than those original 50 emails, but I can't help but wonder just how many people unknowingly open the doors for spam bots on their forums like this.
Strong with this one, the sudo is.
- Anonymous
- Bot
- Joined: 25 Feb 2008
- Posts: ?
- Loc: Ozzuland
- Status: Online
November 30th, 2008, 9:58 pm
- camperjohn
- Guru
- Joined: Nov 28, 2004
- Posts: 1127
- Loc: San Diego
- Status: Offline
December 1st, 2008, 8:40 am
Upload video and picture galleries at http://www.bodydot.com?post+upload+video+picture+gallery
- Pro PHP
- Newbie
- Joined: Nov 30, 2008
- Posts: 8
- Status: Offline
December 1st, 2008, 8:56 am
- joebert
- Sledgehammer
- Joined: Feb 10, 2004
- Posts: 13455
- Loc: Florida
- Status: Offline
December 1st, 2008, 9:37 am
Strong with this one, the sudo is.
- joebert
- Sledgehammer
- Joined: Feb 10, 2004
- Posts: 13455
- Loc: Florida
- Status: Offline
December 2nd, 2008, 8:03 pm
Strong with this one, the sudo is.
- celandine
- Mastermind
- Joined: Oct 30, 2007
- Posts: 2008
- Loc: Belgrade, Serbia
- Status: Offline
December 4th, 2008, 4:11 pm
Interesting experiment, fascinating results. think of the possibilities 
They're lucky you're one of the good guys....
They're lucky you're one of the good guys....
Eagles may soar in the sky but weasels don't get sucked into jet engines.
celandine designblog
celandine designblog
- victoriaphee
- Beginner
- Joined: Dec 05, 2008
- Posts: 42
- Status: Offline
December 5th, 2008, 5:55 am
joebert wrote:
This morning I received two more replies to my email.
The first one I probably could have talked my way out of (yet opted to explain what was going on to instead), but I think the second one knew something was awry.
In hindsight, the old "sorry wrong number" trick may have gotten me back under the radar in both situations.
The first one I probably could have talked my way out of (yet opted to explain what was going on to instead), but I think the second one knew something was awry.
Quote:
Joe, your mail has come to me at SITE_TITLE and I'm not sure
if this is what your query relates to?
We don't have accounts and membership is free!
if this is what your query relates to?
We don't have accounts and membership is free!
Quote:
Hi Joe,
The forum has been disabled since Wednesday as I`m on holiday. I assume therefore you mean the contact page? I suggest you do try registering on the forum when it re-opens.
The forum has been disabled since Wednesday as I`m on holiday. I assume therefore you mean the contact page? I suggest you do try registering on the forum when it re-opens.
In hindsight, the old "sorry wrong number" trick may have gotten me back under the radar in both situations.
Good thing they were not in a bad mood when they read your email. That made me laugh a little.
Page 1 of 1
To Reply to this topic you need to LOGIN or REGISTER. It is free.
Post Information
- Total Posts in this topic: 7 posts
- Users browsing this forum: No registered users and 132 guests
- You cannot post new topics in this forum
- You cannot reply to topics in this forum
- You cannot edit your posts in this forum
- You cannot delete your posts in this forum
- You cannot post attachments in this forum
