Detecting and Mitigating CAPTCHA Farms:
In the ever-evolving landscape of online security, the battle between bots and defenders continues to grow. Every evolution of security technology and technique is evaluated and probed for new weaknesses. In this battle between bots and defenders, as a defender – the security solution vendor – we need to monitor this continuously moving target to ensure the security of our customers/users.
The primary goal of Bot Management Solution is stopping bad bots – which is a software application that runs automated tasks over the Internet for malicious purposes – from accessing organization resources which are meant for genuine users. In this regard CAPTCHA is used as a challenge-response mechanism and identify someone who solves the CAPTCHA as human user. Failure in solving captcha challenge is identified as non-human user and that source/user is denied access to the requested resources. But in this ever-evolving threat landscape, attackers have found out ways to bypass CAPTCHA and get access to the websites/applications to conduct malicious activities such as Content Scraping, Account Take Over, Inventory Hoarding etc. One such way to bypass CAPTCHA is through CAPTCHA Farms.
What are CAPTCHA Farms?
CAPTCHA Farms, CAPTCHA bots, CAPTCHA solving bots are terms used interchangeably to refer to the automated services used by bots to solve the CAPTCHA. These are the network of human users solving CAPTCHAs on behalf of malicious bots. Bot developers query CAPTCHA Farm service via an API or through a browser plugin to automate the process of solving CAPTCHAs. Some notable CAPTCHA farm services are 2Captcha and DeathByCaptcha etc.
Let’s look at the series of steps followed by the CAPTCHA Farm assisted bot that gets challenged with a CAPTCHA.
- Bot is challenged by a CAPTCHA response.
- The bot makes an API call to the CAPTCHA Farm with the website’s CAPTCHA public key and domain name.
- The worker who is working for CAPTCHA Farm solves the CAPTCHA. Once the CAPTCHA is solved, the bot obtains its response token.
- The bot solves the CAPTCHA by submitting the response token.
So, solving CAPTCHA with CAPTCHA Farm service is, just making a function call in the bot’s code. The attackers can prove that they have solved a CAPTCHA without clicking on it or without even using a real browser.
CAPTCHA Farms defeat the purpose of CAPTCHA
Though behind the scenes it is a human who solves the CAPTCHA, automated bots are able to bypass the CAPTCHA challenge and get access to protected resources meant for human users and carry on with malicious activities, hence defeating the belief that it is safe to consider someone who is solving CAPTCHA as a human. So being able to accurately detect who is solving a CAPTCHA is critical for taking the correct necessary action.
How Radware identifies CAPTCHA Farms/CAPTCHA Solving Bots?
There is an interesting principle applied in forensic science field called “Locard’s Exchange Principle” that can be very well applied to the field of cybersecurity as well. The principle states “Every contact leaves a trace. It is the investigators duty to find the trace evidence and reconstruct the events of the crime. It is only the failure to find it, study it and understand it that can diminish their value.” This is exactly where Radware worked on by enhancing its Bot Management Capabilities by adding capabilities to identify CAPTCHA Farms/CAPTCHA solving bots.
Some of the key aspects of the CAPTCHA Farm detection capability are mentioned below:
By decoding the additional signals received post CAPTCHA being solved, the Radware solution is able to identify if the CAPTCHA is solved by an automated bot that integrates with a 3rd party CAPTCHA service (either through a Plugin or API integration).
In addition, based on analysis of the URL’s traversed, IP reputation etc, Radware Bot Manager engine can invalidate the CAPTCHA solved from a source and keep that source in a continuous CAPTCHA loop thus effectively mitigating the bot attack.
In addition to this, we also do behavioural analysis, here we rely on mouse click coordinates, mouse movements count, and click time taken to more accurately demarcate between a genuine user solving the CAPTCHA versus being solved by a CAPTCHA Farm service.
We also track from a source the CAPTCHA shown versus CAPTCHA solved rate and an anomaly there gives a high indication of it not being a genuine user.
Looking Ahead
When it is found that the bot solving CAPTCHA is trying to access your organization resources, it will be punished by keeping that bot in CAPTCHA loop, this way bots are stopped from accessing your organizational resources.
With the increasing prevalence of 3rd party CAPTCHA services, sophisticated bots are now taking advantage of these services to solve CAPTCHA and continue with their malicious activities. The need to accurately detect these CAPTCHA Farms is becoming so much critical now more than ever before. Radware Bot Manager solution with its advanced behavioural detection engine continues to be at the forefront to circumvent the CAPTCHA Farm services being used by the automated bots.
