Spammers Pay Others to Answer Security Tests(captchas)
Spammers Pay Others to Answer Security Tests
MUMBAI, India — Faced with stricter Internet security measures, some spammers have begun borrowing a page from corporate America’s playbook: they are outsourcing.
Related
Times Topic: Computer Security (Cybersecurity)
Sophisticated spammers are paying people in India, Bangladesh, Chinaand other developing countries to tackle the simple tests known as captchas, which ask Web users to type in a string of semiobscured characters to prove they are human beings and not spam-generating robots.
The going rate for the work ranges from 80 cents to $1.20 for each 1,000 deciphered boxes, according to online exchanges like Freelancer.com, where dozens of such projects are bid on every week.
Luis von Ahn, a computer science professor at Carnegie Mellon who was a pioneer in devising captchas, estimates that thousands of people in developing countries, primarily in Asia, are solving these puzzles for pay. Some operations appear fairly sophisticated and involve brokers and middlemen, he added.
“There are a few sites that are coordinated,” he said. “They create the awareness. Their friends tell their friends, who tell their friends.”
Sitting in front of a computer screen for hours on end deciphering convoluted characters and typing them into a box is monotonous work. And the pay is not great when compared to more traditional data-entry jobs.
Still, it appears to be attractive enough to lure young people in developing countries where even 50 cents an hour is considered a decent wage. Unskilled male farm workers earn about $2 a day in many parts of India.
Ariful Islam Shaon, a 20-year-old college student in Bangladesh, said he has a team of 30 other students who work for him filling in captchas. (The term is a loose acronym for “completely automated public Turing test to tell computers and humans apart.”)
He said the students typically work two and a half to three hours a day from their homes and make at least $6 every 15 days; they earn more the faster and the more accurate they are. It is not a lot of money, he acknowledged, but it requires little effort and can help supplement their pocket money.
Mr. Shaon, who agreed to speak to a reporter only over an Internet chat, said he gets the work on Web sites and is paid through Internet money transfer services.
He does not know the identities of the people paying him, nor does he have any interest in finding out. If he asks them, he said, “they maybe do not give me my payments.”
Another operator in Bangladesh who goes by the screen name Workcaptcha on Freelancer.com boasts on his profile page that his firm has 30 computers, up from just five a year ago. Three shifts of workers allow the operation to hum 24 hours a day, seven days a week. On the site, Workcaptcha has 197 reviews from other users, the vast majority of them positive.
It was not possible to verify the claims made by Workcaptcha and Mr. Shaon, but Mr. von Ahn said it was clear that Bangladesh had become a hub for paid captcha solving, as have China and India. The completed captchas help spammers open new online accounts to send junk e-mail and carry out other mischief.
Executives at Internet companies like Google say they do not worry a lot about people being paid to decode captchas because they are one of several tools that Web sites use to secure themselves. Some sites, for instance, might also send confirmation codes as text messages to cellphones, which then have to be entered into a separate verification page before new e-mail accounts are activated.
“It can’t be helped that paid human solvers will be able to solve captchas,” said Macduff Hughes, an engineering director at Google. “Our goal is to make mass account creation less attractive to spammers, and the fact that spammers have to pay people to solve captchas proves that the tool is working.”
Mr. von Ahn said that the cost of hiring people, even as cheap as it may appear, should limit the extent of such operations to only spammers who have figured out ways to make money. “It’s only the people who really actually are already profitable that can do this,” he said.
That view was confirmed by an executive at one south Indian outsourcing company that advertises its captcha-solving prowess on a Web site. The executive, Dileep Paveri, said his firm had stopped offering the service because it was not very profitable.
His company, SBL, which is based in Cochin, got about $200 a month in revenue for each of the 10 employees it had hired to decipher the puzzles on behalf of a Sri Lankan client.
“We found that it’s not worth doing,” said Mr. Paveri, a manager in SBL’s business process outsourcing and graphics unit. Moreover, he added, “after some time, the productivity of people comes down because it’s a monotonous job. They lose their interest.”
Comments