"The botnet, or collection of compromised PCs, can decipher Live Hotmail's CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) registration safeguard in about 20 seconds, said Websense Inc. security researcher Sumeet Prasad.
CAPTCHA is the term for the distorted characters that many Web sites, such as e-mail services and blogs, use to prevent spammers and cyber criminals from creating massive numbers of new accounts. Those accounts are used to send junk mail or messages that try to dupe people into visiting malicious sites, and are valuable because spam filters rarely block the "hotmail.com" domain address.
Last fall, Microsoft revamped the CAPTCHA protection for Live Hotmail after earlier versions had been busted by hackers. Its newest defense has now fallen to a similar attack, said Prasad. "Every time Microsoft implements CAPTCHA changes to combat abuse of their services, the spammers adapt to those changes," Prasad said in an entry to the Websense security labs blog .
Although the newest automated CAPTCHA-cracking tactics are similar in some ways to those used previously by criminals, Prasad noted that the hackers are now using encryption to mask the instructions sent to the bots."