Dan Woods, Vice President, Shape Security Intelligence Center, F5, recounted his personal experience as an infiltrator in the role of human CAPTCHA solver. These figures help hackers commit cyber attacks by solving questions designed to block bots.
In the past, when I worked inintelligence, I have often been surprised by the innovation and maturity of services that cybercrime professionals are able to develop and offer. As responsible for the Shape Intelligence Center, I continue to observe with interest the evolution of the activities of criminals and I find it absolutely interesting to experience first-hand how the tools they use against our customers work. A key service that cybercriminals use is the one that allows you to bypass CAPTCHAs. I want to tell you what I discovered when I went to “work” incognito in a click farm that solves CAPTCHA.
Meaning of the term CAPTCHA
The term CAPTCHA is nothing more than the acronym of “Completely Automated Public Turing test to tell Computers and Humans Apart”. CAPTCHAs were first implemented in the late 1990s as a rudimentary reverse Turing test to help websites filter out growing volumes of problem bot traffic.
When first introduced nearly twenty years ago, CAPTCHAs provided a good defense against automated attacks, representing a barrier that the first few generations of bots could not easily overcome. However, bots evolved and started solving CAPTCHAs, and therefore CAPTCHAs themselves had to transform and become more and more complex and difficult for humans to solve.
Dan Woods’ experience as a human CAPTCHA solver
Although the alternative techniques for bypass CAPTCHAs more quickly and efficiently have definitely evolved in recent years, the original human click farm solution remains the most accessible and popular. A human-powered CAPTCHA resolution service revolves around real, paid people solving CAPTCHAs, and phantom “customers” buying them. To see firsthand how this business works, I decided to sign up as both a CAPTCHA solver and a customer with the Russian company that solves CAPTCHA, 2Captcha.
Here’s how the service works, explained by Dan Woods during his time as a human CAPTCHA solver.
1. The hacker using a bot connects to a website that presents a CAPTCHA to resolve
2. The bot captures an image of the CAPTCHA and sends it to 2Captcha via the API of the latter
3. 2Captcha sends the image to one or more human individuals to fix it
4. 2Captcha sends the resolved CAPTCHA back to the bot via the API
5. The bot sends the successfully resolved CAPTCHA to the website
6. The website incorrectly categorizes the bot as human and allows it to proceed
For reCAPTCHAs (a CAPTCHA system that allows web hosts to distinguish between human and automatic access to the site), the process for circumventing the CAPTCHA is slightly different, but still quite similar.
In many respects, CAPTCHA resolution services operate like any other company, with the aim of making a profit by developing a business model that is often convenient for “customers” (ie the hackers who buy them) but does not create large margins. of profit for those who solve CAPTCHAs.
Is buying a human CAPTCHA solver legal? Woods’ answer
Wondering if this is illegal is perfectly natural. The answer is: not quite, but solving a CAPTCHA is not like hacking a server or taking over an account. It can certainly be considered a violation of a site’s terms of service, and it can be synonymous with complicity with a criminal act (for example, credential infiltration), but, in fact, it is whoever uses the CAPTCHA resolution service true culprit, while the service itself can claim to be ignorant of its customers’ intentions.
2Captcha charges customers different rates depending on the type of resolved CAPTCHAs they wish to purchase. 1,000 traditional CAPTCHAs, for example, cost $ 0.75. In comparison, 1,000 solved reCAPTCHAs cost customers $ 2.99, nearly four times as much as traditional CAPTCHAs.
Becoming a human CAPTCHA solver is actually one of the easiest things I’ve ever done. I created my own account by simply providing an email alias. The website has a very user-friendly and intuitive interface, with clear instructions, and, as you can see in the following images, tutorials and tips for solving CAPTCHAs.
As of April 2021, 2Captcha’s salary for solvers was $ 0.30 for 1,000 CAPTCHAs traditional and $ 1.01 per 1,000 ReCAPTCHA: both very small fractions (4% for traditional CAPTCHAs and 3.4% for reCAPTCHAs) compared to what hacker “customers” pay to 2Captcha. According to these numbers, CAPTCHA solvers who work 11 hours a day non-stop – which is completely unrealistic – would only earn $ 1.20 a day for traditional CAPTCHAs and $ 2.02 for more complex reCAPTCHAs.
Finally, it is surprising to note that these rather “muddy” services are often known for providing excellent customer support, and 2Captcha is no exception. In addition to the user-friendly interface and the abundance of training on offer, 2Captcha provides users with extensive support pages and FAQs, and some solver companies even provide telephone support!
Do CAPTCHAs still make sense?
Here then explains what is the work of a human CAPTCHA solver, unfortunately often a source of income for many people around the world. Services of this type, we repeat, are convenient and widely used by hackers. As result, CAPTCHAs today represent only a small obstacle for motivated attackers, while introducing significant friction for legitimate users. Despite this, many companies still rely on these security solutions, often subjecting customers to a CAPTCHA test for every meaningful interaction. Cybercriminals and the underlying parallel economies that target them are innovative and certainly do not stop in front of CAPTCHAs that have been present for almost twenty years and that, no longer provide defense barriers.