Spammers are using an automated method to create bogus pages on Google’s Blogger service, again highlighting the diminishing effectiveness of a security system intended to stop mass account registrations, according to security vendor Websense.
The spammers are sending coded instructions to PCs in their botnets, or networks of computers that have been infected with malicious software, wrote Sumeet Prasad, a threat analyst, on Websense’s blog.
Those sophisticated instructions tell PCs how to register a free account on Blogger. The spammers also figured out a way to solve the CAPTCHA (Completely Automated Public Turing test to Tell Computers and Humans Apart), the warped text that has to be deciphered in order to complete an account registration.
The compromised PC sends a request to an external host that tries to solve the CAPTCHA and then sends the answer back to the PC. Websense estimates the process has an 8 to 13 percent success rate.
It’s unknown how exactly the CAPTCHA gets solved. It’s been theorized the process has been outsourced to real humans who get paid for every one deciphered. But researchers have successfully developed methods that enable computers to increase their success rate at solving the puzzles, indicating that hackers have also figured out how to do it.
Security vendors and researchers have seen a rapid rise in accounts used for spam on free e-mail services from Microsoft, Yahoo and Google, indicating current CAPTCHA technology has reached the end its usefulness.
In this case, the Blogger pages created by the spammers are then used to promote the usual line of spammer goods. But many of those sites are rigged with JavaScript that redirects the browser to another spammy Web site.
“Spammers include these redirecting accounts in different spam campaigns rather than including their actual spam domains,” Prasad wrote. “Spammers use this tactic to defeat a range of antispam services.”
In effect, they’re using Google’s Blogger domain as a shield, as it’s unlikely to be blocked by other security software products for being a suspicious domain.
One option for Google would be to prohibit those redirects, said Dan Hubbard, vice president of security research for Websense. But every additional security restriction has the potential to drive away users who may use the function for a legitimate purpose, he said.
For so-called Web 2.0 sites that depend on high numbers of users, that could create a backlash, causing users to leave, Hubbard said. The redirection feature could also be tied into the way how advertising is delivered to the blog pages.
Google could also figure out a better way to spot blogs that are being created through automated bots, since many of those pages have tell-tale signs indicating machines created them rather than people, Hubbard said. Those detection mechanisms are still developing, however.
“There’s not a lot of people and a lot of technology that does good content input validation on Web properties, and that’s something that we’re looking into,” Hubbard said. “Link spam and blog spam is happening a ton, and obviously that’s pretty painful for Web properties.”
This latest method means a potential increase in the number of garbage pages on Blogger. But the sheer number of Blogger sites on the whole helps the spammy ones stay under the radar a bit longer, Prasad wrote.
Google has been fighting spam for a long time on Blogger. It uses automated spam classifying algorithms to keep blogs full of spam links out of its featured content. Users can also use a reporting tool to alert Google to spam blogs, but the fight continues.