How Scammers Use Bots to Bypass CAPTCHA

[Man]

CAPTCHA is a basic security test used by website owners to block bot intrusions. It was invented in the early 2000s, improved, and helped protect advertisers' resources from generating fake traffic and leads.

However, the age of captcha is coming to an end, as according to the latest research by cybersecurity experts, half of all tests passed belong to bots, not real users. This means that attackers who control bots can do anything from spamming comments and filling out forms on websites to abusing the services offered by advertisers and buying up goods.

So now is the time to understand how captcha works and how bots can bypass them so easily.

Contents
1. What is CAPTCHA?
2. Types of CAPTCHA
2.1. Text
2.2. With image
2.3. Audio
2.4. Google reCAPTCHA
3. How attackers bypass CAPTCHA
3.1. Artificial Intelligence (AI)
3.2. Click farms
3.3. Breaking CAPTCHA
3.4 CAPTCHA Solving Service
3.5. Security Errors
3.6 Why Google reCAPTCHA is harder to bypass
4. What happens when scammers bypass CAPTCHA
4.1 Increase in spam
4.2. Incorrect analytics data
4.3. Unsafe purchase verification
4.4. Resource performance degradation
5. How to protect your website from bots
5.1 Add reCAPTCHA to your website

What is CAPTCHA?​

CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is an acronym that stands for "Completely Automated Public Turing test to tell computers and humans apart . " The CAPTCHA test allows users to access the site, but does not allow bots to pass, as it consists of cognitive-visual tasks and puzzles that only humans can solve.

Captcha shows users images that are unreadable by bots. As for the characters — letters and/or numbers — they are usually deformed, blurred, can have different fonts and cases, and are a set of letters in any order, so only real users can interpret them correctly. Images can be puzzles, brain teasers, consist of a question in the form of picture answers, etc.

Users who visit a site with CAPTCHA must enter what they see in the image in the answer field. The correct answer allows them to proceed further — to the resource content.

Simple, unmodified bots will not be able to pass such a test - they simply will not distinguish what is depicted in the picture. However, attackers are developing automated scripts so that they can distinguish text in an image. In fact, they add functionality similar to services for converting texts from PDF to text format.

That is why experts have developed new, more complex versions of captcha to improve the security of websites. These include, for example, Google reCAPTCHA.

Types of CAPTCHA​

CAPTCHA can be text, image or sound. It is likely that many users have encountered all three types at least once in their lives.

Text​

This is the most common type of captcha. The user must read the text shown and enter it into the answer field (or enter only the required part). Tests can be a full word or phrase, or a simple set of letters and numbers.

If a user cannot pass a text CAPTCHA, they may be asked to pass a verification method, such as an image.

With image​

Real users may have difficulties with passing this type of captcha. Surely, you have come across a set of images where you need to select everything with an image of a traffic light. And this traffic light was on two adjacent images at once. A person will immediately have a question: "choose only the image where the main part of the traffic light is or two images at once?"

Luckily, the CAPTCHA can be updated to give you a different picture to solve, where you have to choose buses or boats... which may not even be shown in the given test.

Audio​

Audio captchas require users to listen to a short recording and type in the word they heard. These tests are effective because bots cannot use speech recognition. They also typically include additional noise to make the test harder to pass.

Google reCAPTCHA​

Google reCAPTCHA is a more advanced version of bot checking. Instead of generating a random test, it analyzes the user's behavior pattern (mouse movements) and decides which test to show.

If the system decides that the user is not a bot, he will be asked to simply check the box next to the option "I am not a robot". Otherwise, he will have to pass a more complex test, for example, to mark all the pictures that depict boats, pedestrian crossings, etc.

How Attackers Bypass CAPTCHA​

Fraudsters regularly develop and implement strategies to pass CAPTCHA. Here are some of them.

Artificial Intelligence (AI)​

In his book Deep Learning in Computer Vision with Python, Adrian Rosebrock shows a strategy for bypassing the CAPTCHA on the E-ZPass website. Since he didn’t have access to the source code for the software, the approach involved loading hundreds of example images to train the system, then running the learned and learned data through an AI.

Open-source CAPTCHAs are theoretically easier to crack. Cybercriminals can use the source code to train their scripts and bypass tests, no matter how complex. Anyone can pass the exam if they have all the answers to all possible questions in front of them.

Click farms​

Click farms aren't much more functional than AI, but they still get the job done. They use low-paid human labor to solve captchas from multiple devices they control instead of bots. While CAPTCHAs can stump a bot, humans will solve them without difficulty and in no time.

There are also cyborg bots, which are partially controlled by humans to perform complex processes such as entering captchas. Cyborgs are often based on click farms or bot farms.

CAPTCHA Breaking​

Some attackers use technology to read the page's source code for CAPTCHA solutions (if it's text) or to look for an answer that is being reused.

Other strategies to bypass captcha include:

• Using OCR (Optical Character Recognition) technology to read characters on the screen.
• Check the number of images used and solve them using MD5 (hashing algorithm).
• Sending an empty parameter. What if it works?

Any means and technologies are used.

CAPTCHA Solving Service​

Attackers can also use special CAPTCHA solving services. Their providers can use all the approaches we have listed above: from AI to click farms and even simple API tools. Such services can be installed as browser extensions for automatic work with captcha.

Security Errors​

In 2018, cybersecurity expert Andres Riancho discovered a vulnerability in Google's reCAPTCHA. The gist of it was that apps using the test created and sent a request with a security breach, creating a vulnerability that allowed attackers to bypass reCAPTCHA.

Google has now fixed the bug. However, this is a clear example of how attackers can exploit vulnerabilities to bypass captcha on websites.

Why Google reCAPTCHA is Harder to Bypass​

What's interesting is that reCAPTCHA analyzes user behavior and adapts challenges as needed. For example, most bots will never pass the "I'm not a robot" test because they don't interact with web pages the same way humans do.

Even when robots encounter a simple checkbox, it's not easy to get past. Otherwise, bots could capture images on the screen, apply text recognition technology, and figure out where to click.

reCAPTCHA tests also analyze the mouse movement pattern when clicked. These movements are unpredictable and jerky. If CAPTCHA detects this behavior, it lets the user through. The robot's cursor movements will be smoother and more uniform.

What Happens When Scammers Bypass CAPTCHA​

Any cybercriminal can bypass a captcha by simply filling it out like any other user. But the danger increases when they can do it with an army of bots. This means that the attacker can create a targeted, large-scale attack on the server, overloading resources.

Increase in spam​

Without effective CAPTCHA protection, you can expect an influx of spam in the comments with a bunch of links to malicious services and fraudulent sites. If your resource does not moderate comments or they can be published without passing the captcha, then there is a high probability of a spam attack.

Incorrect analytics data​

Bots distort website traffic and spoil all statistics on transitions and user behavior on the website. If attackers find a way to bypass CAPTCHA, then a surge in traffic with zero conversions will be noticeable. It is likely that the number of abandoned carts on online store websites will increase.

Unsafe purchase verification​

If you have an online store, bypassing CAPTCHA means that fraudsters will be able to gain access to user accounts, confidential resource data (for example, a database), and even make purchases using stolen bank cards (carding).

Resource performance degradation​

If an attacker has access to a site, bots will bombard it with traffic, sending many connection requests and taking up limited resources. This means that real users will either not be able to access the site at all or the connection time will be significantly increased. Such attacks can cause damage to a business.

Statistics show that 53% of people will go to a competitor if your site takes longer than 3 seconds to load.

How to protect your website from bots​

Add reCAPTCHA to your website​

The reCAPTCHA test is much harder to bypass than a simple captcha, so it is recommended to add it to your site. It is free for the first million checks per month, it is easy to install and all you need to do is connect your site to it via API. More detailed information is available on the website.