You are about to subscribe to a website, a newsletter, get a free email account, or try to download something. You’ve never heard of this site before but it has what you need. Before you can click Confirm, you’re asked to complete a Captcha validation. Okay, no big deal: you enter the string and press ‘Confirm.’ Oops, you did it wrong. Retry, and good it works – you are now able to access the service you were looking for! Oh and by the way, you just created 2 new email accounts for spamming. How?
This trick is old, but is still used today. Here’s how it works. Let’s pretend Email Security Matters (EMS) is offering a free email service and we use a Captcha system.
You are on the Beep Moop website and want to download a piece of software. As soon you open the page on Beep Moop, a script on Beep’s server opens a page on ESM in the background and grabs the Captcha box. So by confirming the text on the Beep Moop website, the people behind that website are also able to create a new email address on the EMS website (that will be used for spamming of course). Furthermore, you often get an error on the first try so they can get you to validate another Captcha image and create a second email address. And all you wanted to do was to get the new software or service.
Leave a Comment