Cybersecurity researchers are warning about CAPTCHA-breaking services that are being offered for sale to bypass systems designed to distinguish legitimate users from bot traffic.
“Because cybercriminals are keen on breaking CAPTCHAs accurately, several services that are primarily geared toward this market demand have been created,” Trend Micro said in a report published last week.
“These CAPTCHA-solving services don’t use [optical character recognition] techniques or advanced machine learning methods; instead, they break CAPTCHAs by farming out CAPTCHA-breaking tasks to actual human solvers.”
CAPTCHA – short for Completely Automated Public Turing test to tell Computers and Humans Apart – is a tool for differentiating real human users from automated users with the goal of combating spam and restricting fake account creation.
While CAPTCHA mechanisms can be a disruptive user experience, they are seen as an effective means to counter attacks from bot-originating web traffic.
The illicit CAPTCHA-solving services work by funneling requests sent by customers and delegating them to their human solvers, who work out the solution and submit the results back to the users.
This, in turn, is achieved by calling an API to submit the CAPTCHA and invoking a second API to get the results.
“This makes it easy for the customers of CAPTCHA-breaking services to develop automated tools against online web services,” security researcher Joey Costoya said. “And because actual humans are solving CAPTCHAs, the purpose of filtering out automated bot traffic through these tests are rendered ineffective.”
That’s not all. Threat actors have been observed purchasing CAPTCHA-breaking services and combining them with proxyware offerings to obscure the originating IP address and evade antibot barriers.
Proxyware, although marketed as a utility to share a user’s unused internet bandwidth with other parties in return for a “passive income,” essentially turns the devices running them into residential proxies.
In one instance of a CAPTCHA-breaking service targeting popular social commerce marketplace Poshmark, the task requests emanating from a bot are routed via a proxyware network.
“CAPTCHAs are common tools used to prevent spam and bot abuse, but the increasing use of CAPTCHA-breaking services has made CAPTCHAs less effective,” Costoya said. “While online web services can block abusers’ originating IPs, the rise of proxyware adoption renders this method as toothless as CAPTCHAs.”
To mitigate such risks, online web services are recommended to supplement CAPTCHAs and IP blocklisting with other anti-abuse tools.