Tag Archives: Yahoo! Messenger

Strip CAPTCHA Spam

TROJ_CAPTCHAR.A screenshot

Whatever useful stuff the good guys come up with, the bad guys ain’t far behind. A few months back I wrote about researchers at Carnegie Mellon coming up with a way to use CAPTCHA tools to help decipher words in text by the Internet Archive. The basic idea is that the effort to prevent spammers and others automating their intrusion into websites (signing up for stuff, comment spam etc) should not be wasted.

Now a sleazeball has found a way to do the same thing: get folk to decipher CAPTCHA texts through a small program, delivered by Trojan, that offers striptease in exchange for guessing the texts correctly (Trend Micro, via via Seth Godin):

A nifty little program which Trend Micro detects as TROJ_CAPTCHAR.A disguises itself as a strip-tease game, wherein a scantily-clad “Melissa” agrees to take off a little bit of her clothing. However, for her to strut her stuff, users must identify the letters hidden within a CAPTCHA. Input the letters correctly, press “go” and “Melissa” reveals more of herself.

However, the “answers” are then sent to a remote server, where a malicious user eagerly awaits them. The “strip-tease” game is actually a ploy by ingenious malware authors to identify and match ambiguous CAPTCHA images from legitimate sites, using the unsuspecting user as the decoder of the said image.

As Trend Micro points out, the CAPTCHAs in this case are from Yahoo! Web site, suggesting that a spammer is building up Yahoo! accounts.

CAPTCHA Wish Your Girlfriend Was Hot Like Me? – TrendLabs | Malware Blog – by Trend Micro

Technorati Tags: , , ,

The Message Behind Instant Messaging

Be careful what you wish for. For nearly a decade I, and a lot of people like me, have been dreaming of the day when we could send an instant message to someone who wasn’t on the network as us. An instant messaging program is one that sits on your computer and allows you to send short text messages to other Internet users in real time — if they are online they see the message as soon as you’ve sent it. it’s faster than email because they get it straightaway, and it has the added bonus of letting you know whether the other person is at their computer and awake. Hence the name instant messaging. The big players, like Microsoft, Yahoo, AOL and Google all have their own programs and networks, with millions of users. The services are free but beam ads at users through the software.

Now here’s the rub: Because there are no open standards, most instant messenger users can only trade messages with others using the same program. So if I signed up with ICQ, say, I won’t be able to chat with Aunt Marge if she only signed up with Yahoo. It’s a bit like only being able to send emails to people who use the same email service as yourself. Or only to make phone calls to other people using the same operator.

I’m not going to get into who’s to blame for all this. For the past few years I’ve been using a program that lets me include all my chat accounts in one small program, so I can talk to anyone on any service without having to run four or five different chat programs. No ads and less clutter on my screen. Yes, I do feel slightly bad using software that leaches off other people’s work, but if those other people can’t solve my communication problems with Aunt Marge I had to find someone who could.

But as instant messaging has grown, the arguments against fencing users of each system in have grown weaker. Instant messaging is no longer the province of teenagers: it’s as popular in business now as it is in the home, and many a market deal from London to Seoul has been done over instant messenger. Not only that: and the rise of voice over internet services like Skype, which include instant text messaging features, and the introduction of video chat, mean the clamor for interoperability has become harder to ignore.

Hence the recent announcement that Yahoo and Microsoft have started a test run of allowing users of their services to swap messages. This is a big step forward, although it’s noticeable that AOL, by far the biggest player in all this with their ICQ and AIM services, aren’t yet joining the party. Still, it’s good news. But there’s a sneaking worry about it all this. Why has it taken them so long? And why now? In reality, hard commercial reasons lie behidn the decision. It’s not just about helping me send a message to Aunt Marge on another network. In the recent words of Niall Kennedy (thanks, BJ Gillette), program managers at Microsoft, it’s about gathering information about us as we chat and surf so that the companies can target better ads at us. Quite reasonable for them to want to do, I suppose, but one more reason for me to be a tad suspicious about what I say or do online. For now I’m sticking with my third party, ad-free, leaching program.

Is SPIM Another Non-Problem?

No. It is a real problem, if only because there’s still plenty of sleazy people figuring out new ways to ruin your day.

There’s some skepticism out there about this new spam threat: SPIM, in case you didn’t know, is spam that’s delivered, not to your inbox, but to your instant messaging chat program, like ICQ. Some folk say it’s a problem.  Yankee Group, according to a recent report, estimates that currently five to eight percent of all instant messages are spam generated by automated bots. Others are more skeptical. Greg Cher on thespamweblog points out that he’s “been on all three of the major IM’s for at least years and have never…ever had a problem with ‘spim’.”

I was skeptical too, until I today saw these programs being peddled via PRWeb: ”ICQPromoter is a powerful tool for sending messages to thousands of Online or Offline ICQ users. Audience can be targeted by specific interests, country, city, occupation, age, gender or language.” The company behind this, Nanosoft Inc. of Milpitas, California, also offer:

  • Admessenger (“a feature-rich direct advertising program designed to deliver your messages directly to upto 2 Billion Windows 2000, XP, and NT desktops…It is like showing Banner Advertisement with paying a single penny”)
  • Yahoo Answering Machine (“Serves as Perfect Advertising Machine and Advertisement Machine. You can send Message in Room after Predefined time. Send PM to all users in Current Chat Room.”)

You get the idea. These programs will basically spam large numbers of people using chat messengers, or Yahoo chat rooms, all of them automated. What would be amusing if it weren’t so dumb is the fact that Nanosoft prominently display their “zero-tolerance policy” towards Spam. “If you have found this website due to spam, please let us know,” they say. Presumably that doesn’t include using the products they sell?

On closer inspection, Nanosoft have some other rather sleazy products on display. How about this for size: Shadow Pooper [sic], which will, unknown to the user, “periodically open new browser (in fullscreen mode) and load your ad page.” And just in case that’s not intrusive enough for you, “it also can change users Homepage in browser to any URL you choose.” Helpfully, the blurb says “All you need, is to force user install your application on his PC. Use your imagination. Advertise your application as free xxx-dialer, internet booster, etc… You can even include it in installation pack with other free software.” So now we know how spyware works.

Then there’s the problem that Google have come across: The way that advertising via pay-per-click can be abused. Nanosoft offer this: the Traffic Blaster/ URL Generator which will “allow you to generate a massive amount of traffic to any website you wish. Affiliate sites, Banner Sites, Exit Exchanges, and the list goes on and on.” To be honest, I’m not clear from the blurb exactly how this works. Definitely worth a closer look though.

Ironically, these are the same guys selling Popup blockers, chat encrypters, privacy protecters and evidence eliminators. Which brings me back to an earlier post on the question: How can you buy software to protect your privacy from folk you don’t trust? (And I couldn’t help noticing that Nanosoft don’t really trust their customers. This message appears on their website: Because of the growing incidences of Internet fraud, we log everything and take it very seriously. All the fraudulent transactions will be reported to FBI’s Internet Fraud Complaint Center (IFCC).” Right.)

Goodbye To The Browser?

Here’s some more interesting end-of-year stuff from Nielsen//NetRatings: a report issued today (PDF file) says that three out of every four home and work Internet users access the Internet using a non-browser based Internet application, particularly media players, instant messengers and file sharing applications. “With 76 percent of Web surfers using Internet applications, functionality has grown beyond the browser to become a fundamental piece of the overall desktop,” said Abha Bhagat, senior analyst Nielsen//NetRatings. “It’s become harder to distinguish when you’re on the Internet, blurring the lines between what’s sitting on the desktop and what’s coming from the World Wide Web.”

According to the report, the top five applications are Windows Media Player, AOL Instant Messenger, Yahoo! Messenger, MSN Messenger Service and Real Player. Of these top five applications, Windows Media has the largest active user reach at 34 percent. AOL Instant Messenger was next at 20 percent, followed by Real Player also at 20 percent, MSN Messenger Service at 19 percent and Yahoo! Messenger Service, which reaches 12 percent of the active user base.

Interesting. But what does it actually tell us? First off, we shouldn’t get confused by the data. This doesn’t mean that folks are eschewing the browser, just that a lot of other programs are also connecting to the Internet (where is e-mail in all this?). Second, if Real Networks and MSN Messenger are anything to go by, a lot of these programs access the Internet without the user doing anything (or even knowing about it) so does this actually count? Lastly, there’s been plenty written already about how Microsoft is moving past the browser to incorporate similar functionality into its Office and other products — say Microsoft Word 2003’s Research Pane, for example — so it’s clear the big boys would have us move to more proprietary, locked-in environments, which all of the top five applications have in common. We’re not so much witnessing a demographic change as a deliberate shove by the main players.

My wish list? I’d like to see all of these players stop hoodwinking the end-user by loading their programs into the start-up queue automatically (you know who you are). It’s deliberately misleading (read: sleazy), it hogs resources and it skews data like Nielsen’s. I’d also like to see AOL, MSN and Yahoo all agree to share their instant messaging lists so folk like me don’t have to use great alternatives like Trillian to pull together our disparate buddy networks (Trillian will lump all your different Instant Messaging accounts into one easy to view window, minus all the ads and annoying pop-ups).

I see no danger in the browser gradually being phased out for plenty of web-related tasks. But, if the Internet has really become ‘part of the desktop’ let’s try to make it a place where ordinary folk can hang out without too much hassle.

Yahoo Proposes A Way Out Of Spam

 At last, someone is doing something about spam. Part of the problem behind spam is that email allows sleazier folk to fake where the email is coming from (the ‘From’ part of the email’s address fields, or header.) But if email didn’t allow that, and authenticated a sender before passing it on to the recipient, you might kill off spam in a second.
 
The problem has been implementing something like this. How do you get everyone to agree on the new system? Yahoo, Reuters reports, reckons it has the answer: architecture where sending an e-mail message would embed a secure, private key in a message header. The receiving system would check that against the sending domain’s public key. If the public key is able to decrypt the private key embedded in the message, then the e-mail is considered authentic and can be delivered. If not, then the message is assumed not to be an authentic one from the sender and is blocked.
 
Yahoo says it can make the system work even if only a few major email providers adopt it. Given Yahoo’s size in the email world that may not be so hard. Yahoo is making the technology available for free, so that while it may cost money to implement, it doesn’t leave any one player with a proprietary technology dominating the industry. (I guess spam costs Yahoo so much money it has figured it’s cheaper to give away a new system if it gets rid of spam.)
 
It’ll be interesting to see how far this goes before another big player, say Microsoft, tries to stomp on it.

News: Where Online Chat Is Going

 It’s now pretty clear where this Instant Messaging thing is going, and why Yahoo and Microsoft have suddenly started blocking third parties from piggybacking their services. Microsoft have announced a hook-up with news agency and financial data transporter Reuters allowing users of the Messenger network to chat with the 50,000 members of Reuters own internal network (used mainly by traders).
 
The idea, of course, is that the (alleged; probably much smaller) 100 million MSN users can go straight to their broker through a secure chat window. Or, as ENTnews puts it: “In theory, the combination could allow logged, real-time communications among traders and their clients. What better medium than IM for messages like “Buy!” or “Sell!” that can be immediately acknowledged by a broker?”
 
Expect to see more of this among the big boys. Yahoo are probably next up. This is not going to help ICQ users, for example, to chat with Yahoo Messenger users, but it is likely to make IM software more secure. Companies like Reuters are not going to allow instant messaging near their networks if it also brings viruses, hacking or can be easily eavesdropped.

Update From The IM Wars Front

 Seems like the IM wars aren’t over yet. Further to my postings about Yahoo and Microsoft Messenger apparently blocking third party chat aggregators like Trillian, seems the latter’s patches don’t seem to be enough to keep folk connected. CNET reports that Yahoo has begun blocking Cerulean Studios’ Trillian software from communicating with its own instant messaging software as part of its plan to limit third parties from piggybacking on its service.
 
On Thursday, some Trillian users began reporting an inability to communicate with their Yahoo Messenger contacts. A Yahoo spokeswoman on Friday morning confirmed that Trillian users’ inability to access Yahoo Messenger was the result of recent policies put in place by the Web giant. A day after last week’s Yahoo announcement, Trillian released software patches that were aimed at allowing it to continue accessing Yahoo and MSN buddy lists. But as of this week, CNET says, those patches do not appear to be working.

News: More Bad News For Chat

 Bad news for those of us who use third party programs to collect all our instant messaging accounts. I use Trillian, which does a great job of allowing me to access ICQ, Yahoo, AOL and MSN from one window. Not for long, though: CNET reports that Yahoo is planning an upgrade to its instant messaging software that will block access via such third-party IM applications. The reason: to protect IM users from unwanted spamming from advertisers.
 
Yahoo’s announcement, CNET reports, comes on the heels of similar news from rival IM software maker Microsoft that it plans to bar third-party client software from gaining access to its MSN Messenger IM applications. On Oct. 15 Trillian users will also lose access to the Microsoft IM client.
 
I think the spam argument is specious. I can well understand Yahoo and co not liking folk such as Trillian piggybacking their (free) chat services but to blame spam is just silly. To do in the same breath as suggesting they’re in favour of some general standard that would allow folk from, say, ICQ, to chat with someone from MSN is also pretty pathetic. These services have been around for more than five years now, and that no such standard exists is absurd. That’s why I’ve used Trillian and I’ll continue to do so.

Software: A Way To Avoid The Messaging Nasties

 Do a lot of online chat, or instant messaging (IM)? If you do, you’re as vulnerable to nasty folk trying to do nasty things to your computer as using email, including viruses, worms and other ways to get information from your PC, take over your PC or just to make it stop working.
 
 
The good news is that Zone Labs, who make the excellent Zone Alarm firewall (a firewall is a piece of software that tries to keep out some of these nasties), will today launch a product to specifically target IM threats to your computer. IMsecure Pro 1.0 IM traffic and blocks malicious code and spam, encrypts messages sent between IMsecure users and allows users to set rules on outgoing messages and block features such as file transfers and voice and video chats.
 
IMsecure Pro works with Yahoo’s Messenger, Microsoft’s MSN Messenger, and America Online’s AOL Instant Messenger and costs $19.95. A free, dressed-down version of the product for personal and nonprofit users will be available by the end of the month. Given how useful Zone Alarm is, I’d keep an eye out for this. At the time of writing the product had not been posted.

Loose Wire — I Seek

Loose Wire — I Seek Mum, Nick and Sally

By Jeremy Wagstaff
from the 14 March 2002 edition of the Far Eastern Economic Review, (c) 2003, Dow Jones & Company, Inc.

Communication is a funny thing. Living in Southeast Asia in the 1980s I’d type out letters in the enveloping heat, making carbon copies — confident the original would never arrive — and fight my way to the post office past beggars, pickpockets and expat financial-services salesmen, just to stay in touch. Now I have a handphone, e-mail and fax and I can barely talk my thumbs into tapping out a text message home once in a while. It may just be me, but I suspect the harder it is to stay in touch, the better we are at it.

One phenomenon that has bucked this trend is Internet messaging. ICQ was revolutionary when it first popped up in 1996 via an Israeli company called Mirabilis. The first time I used it to send a message to my friend Jim across the South China Sea was mind-blowing.

Now ICQ has been snapped up by AOL and boasts some 127 million users — a sign that people seem to want to stay in touch. For those of us with friends and family in different time zones, such programs are a good way to exchange casual greetings when our on-line sessions happen to coincide.

That said, there’s a downside and it must be fixed before messaging really catches on. While ICQ is by far the most popular chat program or messaging client, Microsoft also has its own, as do AOL and Yahoo. The problem is whether or not to allow users on one service to interact with users on another. So far things haven’t worked out; AOL has blocked most attempts at hooking up to their users, arguing they don’t want any Tom, Dick or Harry hacking into their computers.

Fair point, but in reality the issue is money: These programs spread like wildfire because they were free, and so far no one’s making any money. ICQ has started discreetly adding small adverts but it’s not going to make a dent in the cost of hosting tens of millions of chatty messaging folk. Until chat becomes like your mobile-phone service — where you can be assured of reaching someone, whatever network they’re on — it’s going to be a gimmick. Loading a different program for each service gets messy.

But this is where it gets interesting. Some enterprising dudes have started offering software that handles more than one service, meaning that if you have friends with Yahoo, Microsoft and ICQ accounts, for example, you can chat with them via one program. The best of these is Trillian (www.trillian.cc), written by Kevin Kurtz and Scott Werndorfer and already boasting 2 million copies.

As you can imagine, the giants aren’t happy about two whippersnappers piggybacking on all their hard work. The logos of Microsoft’s MSN, AOL and Yahoo are reduced to acne-like splodges inside Trillian’s window and are, to all intents and purposes, irrelevant to users, who are just happy to be able to connect with their chums on other services.

AOL has already made its feelings known by attempting to shut out Trillian, who have spent much of the past few weeks trying to get back in.

Trillian may be small fry, but they’ve opened the door. AT&T launched a new version of their IM Anywhere program in February that connects to all the other services except ICQ. Fending off two guys in a bedsit may be one thing for AOL, but AT&T may be a tougher proposition.

Where is this going to take us? I’d like to see basic text messages to all services offered as a standard, with users deciding which program they use to pull all their contacts together. PalTalk, a small start-up that also connects to AOL, has found there’s money in extra services like voice, video and professional chat groups.

For most, text chat is just a great way of staying in touch with people across the street or planet. Most don’t care which program does it, and aren’t crazy about all the extra hoopla companies try to cram in to lure folk aboard.

So just give us simple Internet messaging for free, and charge for premium services like security, messaging between handphones and Internet, or on-line collaboration for professional use. Who knows? I might even persuade my mum to sign up: It beats picking up a phone.