Cybersecurity experts warn about the availability of CAPTCHA-breaking services that bypass security systems designed to differentiate between legitimate users and bot traffic.
As per a recent report by Trend Micro shows a growing demand for services specifically created to break CAPTCHAs, as cybercriminals are actively seeking ways to overcome these security measures accurately.
These CAPTCHA-solving services do not rely on optical character recognition or advanced machine-learning techniques. Instead, they employ real human solvers to crack the CAPTCHAs on their behalf.
CAPTCHA, abbreviated for Completely Automated Public Turing Test to Tell Computers and Humans Apart, is a tool to distinguish between real human users and automated bots. Its purpose is to combat spam and prevent the creation of fake accounts. While CAPTCHAs can sometimes inconvenience users, they effectively counter web traffic from bots.
Illicit CAPTCHA-solving services function by receiving customer requests and outsourcing the task of solving CAPTCHAs to human solvers. These solvers work out the solution and return the results to the users.
This process involves calling an API to submit the CAPTCHA and utilizing another API to retrieve the results. By employing actual humans to solve CAPTCHAs, filtering out automated bot traffic through these tests becomes ineffective, allowing the customers of CAPTCHA-breaking services to develop automated tools to exploit online web services.
Moreover, threat actors have been observed purchasing CAPTCHA-breaking services and combining them with proxyware offerings. This combination allows them to conceal their original IP addresses and evade anti-bot barriers.
Proxyware, marketed as a tool to share unused internet bandwidth for a passive income, transforms the devices using it into residential proxies.
In one instance, a CAPTCHA-breaking service targeted the popular social commerce marketplace Poshmark. The requests originating from a bot were routed through a proxyware network.
“CAPTCHAs are commonly used tools to prevent spam and bot abuse, but the increasing use of CAPTCHA-breaking services has significantly diminished their effectiveness,” explained security researcher Joey Costoya. “While online web services can block abusive IP addresses, the rise in proxyware adoption renders this method as ineffective as CAPTCHAs.”
To mitigate these risks, online web services are advised to supplement CAPTCHAs and IP blocklisting with additional anti-abuse measures.