Criminal gangs are using sophisticated software to outwit the Captcha systems used by webmail, microblogging and social networking services to protect their sites against hackers and spammers.
According to research by Symantec and MessageLabs, criminals have developed software capable of decoding the hidden text in Captcha pictures, which are meant to distinguish genuine customers from automated software.
The groups are using the technology to create thousands of accounts on legitimate webmail sites and social networking sites, which they can use to launch spam and phishing attacks against web users, says Paul Woods, senior analyst at Symantec.
"If you have a large number of legitimate accounts on a site, you can benefit from the legitimate domains. It becomes very difficult for anti-spam technology to identify messages from those domains as spam. It is hard to block, because you risk blocking legitimate users," he says.
The practice is putting businesses at risk, which can be on the receiving end of credible looking e-mails containing links to malware, says Wood.
"Social networking and microblogging sites are coming under a lot of pressure from the bad guys. They are creating legitimate profiles and even phishing for accounts of real people," he says. "There are inherent risks for organisations that don't have controls in place."
In some cases cybercriminals are using image recognition software to decode the disguised words in Captcha pictures.
Others groups have developed software that is capable of decoding the audio version of Captcha intended for people who have difficulty reading websites, by analysing the waveforms to recognise the letters of each code word.
Specialist companies have also sprung up, which hire people to create accounts on web applications, paying them $2 or $3 per thousand. They sell the accounts on to criminal groups for between $30 and $40 a thousand, said Wood.
MessageLabs Top Trends in 2009
Spam: The annual average spam rate was 87.7%, an increase of 6.5% on the 2008 statistic of 81.2%. April saw a spike in image spam, accounting for 56.4% of all spam on 5 April, compared with annual average of 28.2%.
Viruses: The average virus level was 1 in 286.4 e-mails, reflecting a 0.35% decrease on 2008, when levels averaged at 1 in 143.8 e-mails.
Web security: The average number of new malicious websites blocked by MessageLabs each day rose to 2,465 compared to 2,290 for 2008, an increase of 7.6%. MessageLabs Intelligence blocked malicious web threats on 30,000 distinct domains. 80% of those domains were established legitimate, compromised websites, the remaining 20% were new domains set up purely with malicious intent.