The attack on Google's Blogger – following in the wake of similar exploits on other online services -- points out the growing ineffectiveness of systems designed to stop mass registration of online accounts, the researcher asserts.
"Spammers have managed to create automated bots that are capable of not only signing up and creating Blogger accounts (using spammer account credentials), but also to use these accounts as re-directors [sic] and doorway pages for advertising their products and services," Websense security researcher Sumeet Prasad wrote in a blog post available
here.
In their attacks, the culprits are sending specially programmed code to PCs that are members of their botnets, Prasad said. The instructions tell the PCs in the botnet how to register a free account on Blogger and how to bypass Google's CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) system. This is the skewed text users must interpret to finish registering for an account.
The zombie PC sends a request to another computer, which attempts to read the CAPTCHA puzzle, and then sends an answer to the PC. Websense estimates the spammers are successful in eight to 13 percent of their attempts at signing up for a new Blogger account.
Websense didn't try to explain how the spammers are solving the CAPTCHA puzzle. Spammers have solved similar anti-CAPTCHA schemes for Microsoft's Live Mail and Live Hotmail systems and Google's Gmail system, Prasad wrote.
The spammers use their Blogger pages to hype typical spammer merchandise. Many of the sites also include JavaScript code that redirects the victim's browser to another spammer website.
Google has said it closes any accounts being used to distribute spam.
See original article on scmagazineus.com