CAPTCHA Solving Farms | An Overlooked Cybersecurity Threat
What if every time you encountered a CAPTCHA, it’d be magically solved saving you time and headache? To some, captchas are just an annoying time sink, to others it's all the rage, but most of us would agree that captchas are one of the most hated things on the internet.
Captcha is a filter in the form of a challenge-response to distinguish genuine humans from bots. However, captchas are not designed to tell which specific human is behind the request, and they can only tell whether it's a human or an automated computer program (a bot). So some people figured that the captcha solving process could be automated by employing real humans to solve captchas. There was enough demand from people who had a hard time deciphering captchas as well as black hat actors. At the same time, under-developed countries could provide enough supply in the form of cheap labor, thus born the captcha-solving industry.
What is a CAPTCHA Solving Farm?
Captcha solving farm refers to automated captcha recognition services where captchas are directed -through an API- to human workers who solve captchas remotely in exchange for a small income.
CAPTCHA solving farms are mostly popular in under-developed countries such as India and Bangladesh, where 50 cents per hour is considered a decent wage.
How CAPTCHA Solvers Works?
Popular services provide browser extensions that detect and solve captchas automatically as you encounter them while browsing the web. This is especially useful for users who are visually impaired and have difficulties solving captcha challenges. Most captcha solving providers will also support API integration which means these services can undoubtedly be used for black hat activities, but more on that later
How CAPTCHA Solving Farms Operate?
Captcha solving farms can be in the form of online earning platforms where workers can directly register to the platforms or gathered through freelancer websites where payments are usually made per 1000 captchas solved. There are also local groups that operate as captcha farms.
A 20-year-old student in Bangladesh said to the New York Times that he has a team of 30 students who works for him filling in captchas to supplement their pocket money. At the same time, another operator stated that his firm has 30 computers and three shifts of workers that allow the operations to run 24 hours a day.
Dark Side of CAPTCHA Solving Industry
CAPTCHA is built to protect the ecosystem of the internet from automated programs, which can cause fraud and abuse. By providing an automated captcha recognition service at scale without any regulation over the customers’ identities, captcha solving farms inevitably becomes a tool that empowers black hat activities.
Popular captcha solving services do not shy away from advertising their compatibility and integration with many black hat SEO software. SEO is a massive market where the success of businesses and marketing agencies is mainly determined by their content creation and link-building efforts. Some firms use automated programs to gain an edge in the SEO game. Scraping web pages (often competitors’ content), publishing it on their platforms, then using automation to submit the content to other online platforms in an attempt to gain backlinks and resulting in a higher SEO ranking for the fraudsters while potentially damaging their competitors at the same time.
The first captcha was deployed by the search engine AltaVista, aimed to stop automated URL submissions (a type of black hat SEO) into its index.
CAPTCHA is used to prevent both web scraping and automated submission requests, yet when it is neutralized by captcha-solving farms, nothing is stopping black hats from getting their way. Without an effective way to distinguish automated programs from genuine humans, online polls can be deceived, account take over attacks and scraping of online content couldn’t be effectively prevented, and spam would take over online platforms.
Is CAPTCHA Solving Farms Illegal?
In short, neither captcha-solving farms nor the act of captcha solving is illegal by law. However, it is evident that captcha-solving farms are used for unlawful purposes by cybercriminals.
One such case is documented by the New York Attorney General’s office report in 2016 when criminals used captcha farms to allow their bots access to the ticketing sites. Then, these bots are used to collect tickets to plays, concerts, and other events, buying all the tickets within the second they became available, only to resell them for higher prices afterward.
... the Bots transmit in real-time images of the CAPTCHAs they encounter on Ticketmaster and other sites to armies of “typers,” human workers in foreign countries where labor is less expensive.
According to the report, the criminals used captcha farms to allow their bots access to the ticketing sites. These bots are then used to collect tickets to plays, concerts, and other events as soon as the tickets became available, only to resell them on the black market for higher prices.
Can CAPTCHA Providers Stop Captcha Solving Farms?
Cybersecurity is a cat and mouse game, and security solution providers have to be always up-to-date with their products against evolving and newly emerging threats. Captcha farms are no different, in that, they are a threat to the security of online businesses, and captcha solutions -a necessity for cybersecurity- have to keep up with them. Advanced captcha solution providers such as GeeTest, can mitigate captcha farms through environment and origin detection techniques and keep the internet safe and trusted for all of us.