Cybergangs use cheap labor to break codes on social sites

SEATTLE -- It's become the new front in cybercrime: scams and identity-theft programs that attack e-mail accounts and users of social-networking sites such as Facebook and MySpace.

To carry out many of these automated attacks, cybercriminals first must overcome "captchas," the distorted letters and characters that users of an e-mail or social-networking account are required to type to complete certain online forms. For years, captchas have helped to stop or bog down automated programs aimed at creating, among other things, e-mail accounts that promote scams such as fake computer virus protection and bogus accounts on social websites that can be used to collect personal information on legitimate users.

Now, security specialists say, a growing number of captcha-breaking groups are using real people to type in captcha responses for cybergangs around the world. This is allowing the gangs to create fake e-mail and social-network accounts by the tens of thousands — and use them as the starting point for a variety of cyberscams spread by e-mail and instant messages.

MySpace and Facebook say that, so far, they have kept such attacks largely in check. But security researchers say that as long as captchas are a key security feature on networking websites, cyberattacks on such sites are likely to intensify.

"We shouldn't have any illusions about captchas," says Sergei Shevchenko, a virus hunter at Internet security firm PC Tools. "If the professionals want to break in, they'll do it."

For social-networking sites that have exploded in popularity during the past two years — Facebook now claims more than 200 million members — the stakes are enormous.

The social networks, scrambling to build audiences and ad revenue, want to avoid e-mail's fate: Today, 90% of all e-mail traffic is spam, and companies across the nation pour vast resources into keeping legitimate e-mail viable by filtering away spam.

Meanwhile, cybergangs recognize the opportunity to get fresh mileage from tried-and-true scams. They are repurposing ruses perfected in e-mail spamming to try to fool members of social networks into accepting — or even spreading — ads for fake products, data-stealing programs and other harmful computer bugs.

"Social-networking sites are a viral marketer's dream," says Paul Wood, analyst at Message Labs-Symantec, an Internet security firm. "The potential to tap into a huge community of like-minded individuals is enormous."

A penny at a time

Captchas first appeared in 2001. They are based on the idea that humans — and not automated programs used by cybercriminals — can distinguish a word or group of characters shown as a warped graphical representation and then type them on an online form to gain access to a protected Web page.