CAPTCHA Breach Service with Human Breaker Helping Cybercriminals Beat Security
Cybersecurity researchers warn about CAPTCHA violating services offered for sale to bypass systems designed to distinguish legitimate users from bot traffic.
“Because cybercriminals are eager to accurately solve CAPTCHAs, several services specifically aimed at the demands of this market have been created,” Trend Micro said in a report published last week.
“These CAPTCHA solving services do not use advanced machine learning (optical character recognition) techniques or methods; instead, they solve CAPTCHA by passing the CAPTCHA solving task to actual human solvers.”
CAPTCHA – short for Completely Automated Public Turing test to tell Computers and Humans Apart – is a tool to distinguish real human users from automated users with the aim of fighting spam and limiting the creation of fake accounts.
While the CAPTCHA mechanism can be a annoying user experiencethey are seen as an effective way to fight attacks from web traffic originating from bots.
Illegal CAPTCHA resolution services work by tunneling requests sent in by customers and delegating them to their human solvers, who complete the solution and send the results back to the user.
This, in turn, is achieved by calling an API to submit a CAPTCHA and requesting a second API to get the results.
“This makes it easier for CAPTCHA solving service customers to develop automated tools against online web services,” said security researcher Joey Costoya. “And since humans are actually solving CAPTCHAs, the purpose of filtering automated bot traffic through this test becomes ineffective.”
Not only that. Threat actors have been observed buying CAPTCHA cracking services and bundling them with proxyware offerings to obfuscate originating IP addresses and circumvent antibot barriers.
Zero Trust + Deception: Learn How to Outsmart Attackers!
Discover how Fraud can detect advanced threats, stop lateral moves, and improve your Zero Trust strategy. Join our insightful webinar!
Proxy devicealthough marketed as a utility for sharing a user’s unused Internet bandwidth with other parties in exchange for “passive income”, it essentially turns the device running it into a residential proxy.
In one example of a CAPTCHA solving service targeting the popular social trading marketplace Poshmark, task requests originating from bots were routed through a proxyware network.
“CAPTCHA is a common tool used to prevent spam and bot abuse, but the increasing use of CAPTCHA violating services is making CAPTCHA less effective,” says Costoya. “While online web services can block an offender’s originating IP, the advent of proxyware adoption has made this method as toothless as CAPTCHA.”
To reduce such risks, online web services are advised to supplement CAPTCHAs and IP block lists with other anti-abuse tools.
