CAPTCHA Social Engineering Experiment

  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13504
  • Loc: Florida

Post 3+ Months Ago

I was thinking about how hard CAPTCHA images are getting to read these days and I had an idea.

I did a Google search for

Code: [ Select ]
inurl:"register.php" inurl:forum


I gathered the domain names of the first 50 results that did not have a "translate" link next to them, meaning they were likely to speak English.

I took a minute to generate a comma-delimited list of "support@domain" style email addresses from the list, and added that to the BCC field of an email I sent to myself.

The contents of the email was as follows.

Quote:
Hello,

I'd love to register on your forum, but it has taken me less time to dig
up this email address and complain than it was taking me to figure out
what the heck that CAPTCHA image says.

I'd like to register using the name "mrjoebert",
my birthday is July 4th 1981,
my email address is this one, "the email this was sent from"

Is there any chance someone could finish the account setup for me and just
send me an activation email I can click or something ?

Thankyou,
Joe


Now, this is something I could write a script to do for me, hell it only took me maybe 15 minutes to do this for the first time by hand.

About 5 minutes after I sent the email I immediately received thirty 550 delivery status failure notifications because there was no "support@~" mailbox registered, and I got an email requesting that I fill out an extremely simple CAPTCHA to confirm I was a human.
Maybe 5 minutes after that I received an email with a link to a registration form that didn't have a CAPTCHA along with an assurance that if I was still having problems they would set it up manually for me.
After another 5 minutes I got an email with the username I requested and a password to use.

So out of those 50 addresses, I got two (4%) that would help me bypass a registration CAPTCHA. And there's still about 15 or so addresses that haven't responded in any way so far.
Now, it wouldn't be hard to have a script do a whois for each domain and gather the administration or technical emails instead of using a generic support@~

I really don't want to push it, so I'm not going to do any more than those original 50 emails, but I can't help but wonder just how many people unknowingly open the doors for spam bots on their forums like this. :scratchhead:
  • camperjohn
  • Guru
  • Guru
  • User avatar
  • Posts: 1127
  • Loc: San Diego

Post 3+ Months Ago

Ok, this is taking spam to a new level!

I like it!

I think it is similar to how the virus messages bait users with "John has sent you an image - Please open the attachment". Some people open them!
  • Pro PHP
  • Newbie
  • Newbie
  • Pro PHP
  • Posts: 8

Post 3+ Months Ago

Interesting. Think of the large scale on which that could be done! You could have quite an arsenal of forum accounts with which to spam!
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13504
  • Loc: Florida

Post 3+ Months Ago

This morning I received two more replies to my email.

The first one I probably could have talked my way out of (yet opted to explain what was going on to instead), but I think the second one knew something was awry.

Quote:
Joe, your mail has come to me at SITE_TITLE and I'm not sure
if this is what your query relates to?

We don't have accounts and membership is free!


Quote:
Hi Joe,

The forum has been disabled since Wednesday as I`m on holiday. I assume therefore you mean the contact page? I suggest you do try registering on the forum when it re-opens.


In hindsight, the old "sorry wrong number" trick may have gotten me back under the radar in both situations.
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13504
  • Loc: Florida

Post 3+ Months Ago

I've received two notifications of delivery delays that will be retried for two days, and I have one more username and password setup for me.

So far I have a total of three responses out of 50 messages (6%) that would allow me to bypass a CAPTCHA pragmatically, and about a dozen more responses in limbo.
  • celandine
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2008
  • Loc: Belgrade, Serbia

Post 3+ Months Ago

Interesting experiment, fascinating results. think of the possibilities :D They're lucky you're one of the good guys....
  • victoriaphee
  • Beginner
  • Beginner
  • victoriaphee
  • Posts: 42

Post 3+ Months Ago

joebert wrote:
This morning I received two more replies to my email.

The first one I probably could have talked my way out of (yet opted to explain what was going on to instead), but I think the second one knew something was awry.

Quote:
Joe, your mail has come to me at SITE_TITLE and I'm not sure
if this is what your query relates to?

We don't have accounts and membership is free!


Quote:
Hi Joe,

The forum has been disabled since Wednesday as I`m on holiday. I assume therefore you mean the contact page? I suggest you do try registering on the forum when it re-opens.


In hindsight, the old "sorry wrong number" trick may have gotten me back under the radar in both situations.



Good thing they were not in a bad mood when they read your email. That made me laugh a little. :lol:

Post Information

  • Total Posts in this topic: 7 posts
  • Users browsing this forum: No registered users and 53 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.