Cybersecurity researchers are warning about CAPTCHA cracking services offered for sale to bypass systems designed to distinguish legitimate users from bot traffic.
“Since cybercriminals are interested in cracking CAPTCHAs with precision, several services have been created that primarily target this market demand,” Trend Micro. said in a report published last week.
“These CAPTCHA solving services are not used [optical character recognition] advanced machine learning techniques or methods; instead, they break CAPTCHAs by assigning CAPTCHA-breaking tasks to real human solvers.”
CAPTCHA – short for Fully Automated Public Turing Test to Distinguish Computers from Humans – is a tool to differentiate real human users from automated users with the aim of combating spam and restricting the creation of fake accounts.
While CAPTCHA mechanisms can be a disruptive user experiencethey are seen as an effective means of countering attacks from web traffic originating from bots.
Illicit CAPTCHA solving services work by funneling requests submitted by clients and delegating them to their human solvers, who work out the solution and send the results to users.
This, in turn, is accomplished by calling an API to submit the CAPTCHA and invoking a second API to retrieve the results.
“This makes it easier for customers of CAPTCHA cracking services to develop automated tools against online web services,” said security researcher Joey Costoya. “And since real humans are solving CAPTCHAs, the purpose of filtering automated bot traffic through these tests is rendered ineffective.”
That’s not all. Threat actors have been observed purchasing CAPTCHA cracking services and combining them with proxyware offerings to hide the source IP address and evade anti-bot barriers.
UPCOMING WEBINAR
Zero Trust + Deception – Learn to Outsmart Attackers!
Learn how Deception can detect advanced threats, stop lateral movement, and improve your Zero Trust strategy. Join our in-depth webinar!
Middlewarewhile it’s marketed as a utility for sharing a user’s unused Internet bandwidth with other parties in exchange for “passive income,” it essentially turns the devices running them into residential proxies.
In one instance of a CAPTCHA cracking service aimed at the popular social commerce marketplace Poshmark, task requests emanating from a bot are routed through a middleware network.
“CAPTCHAs are common tools used to prevent spam and bot abuse, but the increasing use of CAPTCHA cracking services has made CAPTCHAs less effective,” Costoya said. “While online web services can block abusers’ source IPs, the increased adoption of proxyware makes this method as toothless as CAPTCHAs.”
To mitigate these risks, it is recommended that online web services supplement CAPTCHAs and the IP blocklist with other anti-abuse tools.
Did you find this article interesting? Follow us at Twitter i LinkedIn to read more exclusive content we publish.
Source link