www.trendmicro.com
Open in
urlscan Pro
104.102.42.47
Public Scan
URL:
https://www.trendmicro.com/en_us/research/23/e/abusing-web-services-using-automated-captcha-breaking-services-and-residenti...
Submission: On May 26 via api from TR — Scanned from DE
Submission: On May 26 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
<form class="main-menu-search" aria-label="Search Trend Micro" data-equally-id="equally_ai___IBzgv">
<div class="main-menu-search__field-wrapper" id="cludo-search-form">
<table class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" class="gsc-input-field" name="search" title="search" placeholder="Search" aria-label="search">
</td>
</tr>
</tbody>
</table>
</div>
</form>Text Content
Business
search close
* Solutions
* Platform
* Trend One
Our Unified Platform
Bridge threat protection and cyber risk management
Learn more
* By Challenge
* By Challenge
* By Challenge
Learn more
* Understand, Prioritize & Mitigate Risks
* Understand, Prioritize & Mitigate Risks
Improve your risk posture with attack surface management
Learn more
* Protect Cloud-Native Apps
* Protect Cloud-Native Apps
Security that enables business outcomes
Learn more
* Protect Your Hybrid World
* Protect Your Hybrid, Multi-Cloud World
Gain visibility and meet business needs with security
Learn more
* Securing Your Borderless Workforce
* Securing Your Borderless Workforce
Connect with confidence from anywhere, on any device
Learn more
* Eliminate Network Blind Spots
* Eliminate Network Blind Spots
Secure users and key operations throughout your environment
Learn more
* See More. Respond Faster.
* See More. Respond Faster.
Move faster than your adversaries with powerful purpose-built XDR,
attack surface risk management, and zero trust capabilities
Learn more
* Extend Your Team
* Extend Your Team. Respond to Threats Agilely
Maximize effectiveness with proactive risk reduction and managed
services
Learn more
* By Role
* By Role
* By Role
Learn more
* CISO
* CISO
Drive business value with measurable cybersecurity outcomes
Learn more
* SOC Manager
* SOC Manager
See more, act faster
Learn more
* Infrastructure Manager
* Infrastructure Manager
Evolve your security to mitigate threats quickly and effectively
Learn more
* Cloud Builder and Developer
* Cloud Builder and Developer
Ensure code runs only as intended
Learn more
* Cloud Security Ops
* Cloud Security Ops
Gain visibility and control with security designed for cloud
environments
Learn more
* By Industry
* By Industry
* By Industry
Learn more
* Healthcare
* Healthcare
Protect patient data, devices, and networks while meeting regulations
Learn more
* Manufacturing
* Manufacturing
Protecting your factory environments – from traditional devices to
state-of-the-art infrastructures
Learn more
* Oil & Gas
* Oil & Gas
ICS/OT Security for the oil and gas utility industry
Learn more
* Electric Utility
* Electric Utility
ICS/OT Security for the electric utility
Learn more
* Federal
* Federal
Learn more
* Automotive
* Automotive
Learn more
* 5G Networks
* 5G Networks
Learn more
* Products
* Cloud Security
* Cloud Security
* Trend Cloud One
Cloud Security Overview
The most trusted cloud security platform for developers, security
teams, and businesses
Learn more
* Workload Security
* Workload Security
Secure your data center, cloud, and containers without compromising
performance by leveraging a cloud security platform with CNAPP
capabilities
Learn more
* Cloud Security Posture Management
* Cloud Security Posture Management
Leverage complete visibility and rapid remediation
Learn more
* Container Security
* Container Security
Simplify security for your cloud-native applications with advanced
container image scanning, policy-based admission control, and container
runtime protection
Learn more
* File Storage Security
* File Storage Security
Security for cloud file/object storage services leveraging cloud-native
application architectures
Learn more
* Endpoint Security
* Endpoint Security
Defend your endpoints at every stage
Learn more
* Network Security
* Network Security
Advanced cloud-native network security detection, protection, and cyber
threat disruption for your single and multi-cloud environments.
Learn more
* Open Source Security
* Open Source Security
Visibility and monitoring of open source vulnerabilities for SecOps
Learn more
* Cloud Visibility
* Cloud Visibility
As your organization continues to move data and apps to the cloud and
transform your IT infrastructure, mitigating risk without slowing down
the business is critical.
Learn more
* Network Security
* Network Security
* Network Security Overview
Expand the power of XDR with network detection and response
Learn more
* Network Intrusion Prevention (IPS)
* Network Intrusion Prevention (IPS)
Protect against known, unknown, and undisclosed vulnerabilities in your
network
Learn more
* Breach Detection System (BDS)
* Breach Detection System (BDS)
Detect and respond to targeted attacks moving inbound, outbound, and
laterally
Learn more
* Secure Service Edge (SSE)
* Secure Service Edge (SSE)
Redefine trust and secure digital transformation with continuous risk
assessments
Learn more
* OT & ICS Security
* OT & ICS Security
Learn more
* Endpoint & Email Security
* Endpoint & Email Security
* Endpoint & Email Security Overview
Protect your users on any device, any application, anywhere with Trend
Micro Workforce One
Learn more
* Endpoint Protection
* Endpoint Protection
Learn more
* Email Security
* Email Security
Stop phishing, malware, ransomware, fraud, and targeted attacks from
infiltrating your enterprise
Learn more
* Mobile Security
* Mobile Security
On-premises and cloud protection against malware, malicious
applications, and other mobile threats
Learn more
* Security Operations
* Security Operations
* Trend Vision One
Security Operations Overview
A cloud-native security operations platform built to empower security
teams
Learn more
* Attack Surface Management
* Attack Surface Management
Operationalize a zero trust strategy
Learn more
* XDR (Extended Detection & Response)
* XDR (Extended Detection & Response)
Stop adversaries faster with a broader perspective and better context
to hunt, detect, investigate, and respond to threats from a single
platform
Learn more
* Threat Intelligence
* Threat Intelligence
Keep ahead of the latest threats and protect your critical data with
ongoing threat prevention and analysis
Learn more
* Small & Midsized Business Security
* Small & Midsized Business Security
Stop threats with comprehensive, set-it-and-forget-it protection
Learn more
* All Products, Services and Trials
* All Products, Services and Trials
Learn more
* Research
* Research
* Research
* Research
Learn more
* About Our Research
* About Our Research
Learn more
* Research, News, and Perspectives
* Research, News, and Perspectives
Learn more
* Research and Analysis
* Research and Analysis
Learn more
* Blog
* Blog
Learn more
* Security News
* Security News
Learn more
* Zero Day Initiatives (ZDI)
* Zero Day Initiatives (ZDI)
Learn more
* Services
* Our Services
* Our Services
* Our Services
Learn more
* Service Packages
* Service Packages
Augment security teams with 24/7/365 managed detection, response, and
support
Learn more
* Managed XDR
* Managed XDR
Augment threat detection with expertly managed detection and response
(MDR) for email, endpoints, servers, cloud workloads, and networks
Learn more
* Support Services
* Support Services
Learn more
* Partners
* Channel Partners
* Channel Partners
* Channel Partner Overview
Grow your business and protect your customers with the best-in-class
complete, multilayered security
Learn more
* Managed Service Provider
* Managed Service Provider
Partner with a leading expert in cybersecurity, leverage proven
solutions designed for MSPs
Learn more
* Cloud Service Provider
* Cloud Service Provider
Add market-leading security to your cloud service offerings – no matter
which platform you use
Learn more
* Professional Services
* Professional Services
Increase revenue with industry-leading security
Learn more
* Resellers
* Resellers
Discover the possibilities
Learn more
* Marketplace
* Marketplace
Learn more
* System Integrators
* System Integrators
Learn more
* Alliance Partners
* Alliance Partners
* Alliance Overview
We work with the best to help you optimize performance and value
Learn more
* Technology Alliance Partners
* Technology Alliance Partners
Learn more
* Our Alliance Partners
* Our Alliance Partners
Learn more
* Partner Tools
* Partner Tools
* Partner Tools
Learn more
* Partner Login
* Partner Login
Login
* Education and Certification
* Education and Certification
Learn more
* Partner Successes
* Partner Successes
Learn more
* Distributors
* Distributors
Learn more
* Find a Partner
* Find a Partner
Learn more
* Company
* Why Trend Micro
* Why Trend Micro
* Why Trend Micro
Learn more
* The Trend Micro Difference
* The Trend Micro Difference
Learn more
* Customer Success Stories
* Customer Success Stories
Learn more
* The Human Connection
* The Human Connection
Learn more
* Industry Accolades
* Industry Accolades
Learn more
* Strategic Alliances
* Strategic Alliances
Learn more
* About Us
* About Us
* About Us
Learn more
* Trust Center
* Trust Center
Learn more
* History
* History
Learn more
* Diversity, Equity and Inclusion
* Diversity, Equity and Inclusion
Learn more
* Corporate Social Responsibility
* Corporate Social Responsibility
Learn more
* Leadership
* Leadership
Learn more
* Security Experts
* Security Experts
Learn more
* Internet Safety and Cybersecurity Education
* Internet Safety and Cybersecurity Education
Learn more
* Legal
* Legal
Learn more
* Investors
* Investors
Learn more
* Connect with Us
* Connect with Us
* Connect with Us
Learn more
* Newsroom
* Newsroom
Learn more
* Events
* Events
Learn more
* Careers
* Careers
Learn more
* Webinars
* Webinars
Learn more
Back
Back
Back
Back
* Free Trials
* Contact Us
Looking for home solutions?
Under Attack?
0
Back
Folio (0)
Support
* Business Support Portal
* Virus and Threat Help
* Renewals and Registration
* Education and Certification
* Contact Support
* Find a Support Partner
Resources
* Cyber Risk Index/Assessment
* CISO Resource Center
* DevOps Resource Center
* What Is?
* Threat Encyclopedia
* Cloud Health Assessment
* Cyber Insurance
* Glossary of Terms
* Webinars
Log In
* Support
* Partner Portal
* Cloud One
* Product Activation and Management
* Referral Affililate
Back
arrow_back
search
close
Content has been added to your Folio
Go to Folio (0) close
ABUSING WEB SERVICES USING AUTOMATED CAPTCHA-BREAKING SERVICES AND RESIDENTIAL
PROXIES
This blog entry features three case studies that show how malicious actors evade
the antispam, antibot, and antiabuse measures of online web services via
residential proxies and CAPTCHA-breaking services.
By: Joey Costoya May 25, 2023 Read time: 6 min (1643 words)
Save to Folio
Subscribe
--------------------------------------------------------------------------------
With contributions from Philippe Lin, Fyodor Yarochkin, Matsukawa Bakuei, and
Ryan Flores
Nowadays, it is imperative for online services to determine if web traffic comes
from humans or automated bots. Doing so enables operators to filter out spam,
unauthorized web crawling, large numbers of fake account registrations, comments
and reviews, and most of all, attacks from bot-originating web traffic. The
foremost tool used to filter out bots is the Completely Automated Public Turing
test to tell Computers and Humans Apart (CAPTCHA).
CAPTCHA is a type of challenge-response test, which, in theory, only humans can
pass. Common CAPTCHA tests consist of squiggly numbers and letters with textured
backgrounds that users would need to identify and type in a text box. Nowadays,
more advanced CAPTCHA challenges involve identifying specific objects, such as
traffic lights or cars, in square images.
Simple CAPTCHAs, such as those that involve numbers and letters, can sometimes
be defeated by Optical Character Recognition (OCR) techniques, while more
challenging CAPTCHAs, such as those with twisted characters, can be defeated by
automated solvers that are boosted by machine learning (ML). These
CAPTCHA-defeating tactics have given rise to the development of more advanced
CAPTCHA challenges, including identifying certain objects in a grid or rotating
an object to its correct position. But online service operators face a slew of
different challenges when automated web traffic defeats CAPTCHAs not by using
bots, but by using human CAPTCHA solvers.
THE RISE OF CAPTCHA-BREAKING SERVICES
Because cybercriminals are keen on breaking CAPTCHAs accurately, several
services that are primarily geared toward this market demand have been created.
These CAPTCHA-solving services don’t use OCR techniques or advanced machine
learning methods; instead, they break CAPTCHAs by farming out CAPTCHA-breaking
tasks to actual human solvers.
The CAPTCHA-solving service follows this straightforward workflow:
The customer of the CAPTCHA-breaking service encounters a CAPTCHA.
2. The customer submits the CAPTCHA to the CAPTCHA-breaking service.
3. The CAPTCHA-breaking service farms out tasks to one of their human solvers.
4. The human solver works out the CAPTCHA and submits the solution to the
customer.
5. The customer receives the CAPTCHA solution.
For customers of CAPTCHA-breaking services, this workflow is accessible via
simple API calls. Customers don’t have to deal with the complexities of farming
out CAPTCHA-breaking tasks to human solvers themselves. They would simply call
an API to submit the CAPTCHA and call another API to get the solution to the
CAPTCHA.
https://captcha-solving-service.com/in.php?key=APIKEY&method=userrecaptcha&googlekey=6Le_xxxxxx__mJ
&pageurl=https://target.domain/homepage.html
OK|01234567890
OK|CAPTCHA_SOLUTION_HASHES
This makes it easy for the customers of CAPTCHA-breaking services to develop
automated tools against online web services. And because actual humans are
solving CAPTCHAs, the purpose of filtering out automated bot traffic through
these tests are rendered ineffective.
However, online web services do not solely rely on CAPTCHAs to guard against
automated bot traffic. They can employ other means, such as IP address
blacklisting. Bot operators have several options to evade IP address blacklists,
and using proxyware is a popular option.
OBFUSCATING ORIGINATING IP USING PROXYWARE
Proxyware are potentially risky applications that are distributed as free
software tools. However, these applications covertly turn a user's computer into
a proxy node. These proxy nodes would then become a network of geographically
distributed proxy nodes.
Because these proxy nodes (which are on users' computers that connect to the
internet using residential broadband services) can route potentially illegal web
traffic, proxyware can expose users to risks and cyberthreats.
Operators of these networks of globally distributed proxy nodes oftentimes sell
their proxy service to the public as residential proxies. We have observed some
threat actors purchasing these proxy services and coupling them with
CAPTCHA-breaking services to evade antispam, antibot, and antiabuse measures
deployed by various online web services. We highlight some notable examples,
some of which were heavily targeted by CAPTCHA-breaking services as seen in
Figure 1, in three case studies.
Figure 1. Top 20 websites that were targeted by CAPTCHA-breaking services from
January to August 2022 based on our telemetry
Case study 1: Poshmark
Poshmark is a popular social commerce marketplace where users can buy and sell
various fashion, home, and electronics items. It integrates the use of social
media to promote social interaction with users, eventually driving users to buy
from the platform.
Sellers who are proficient in promoting their Poshmark stores can expect to earn
good money, which can range from a few hundred dollars to more than US$1,000 per
month. Poshmark sellers, also known as “Poshers,” can use a plethora of tools to
promote their storefronts to prospective shoppers. These tools automate a lot of
promotional tasks in Poshmark, such as sharing storefronts, sharing listings,
and reciprocating shares and follows. Notably, these automated bot activities
trigger Poshmark's antiabuse safeguards, which result in CAPTCHAs being
presented.
One of the most notable features of these Poshmark bots is, of course, solving
CAPTCHAs. These bots need to have CAPTCHA-breaking capabilities built-in,
otherwise, their automated Poshmark promotional tasks would be quite limited.
There are even websites that review the capabilities of the various Poshmark
bots and rank them according to their feature sets.
Our observations show that there are numerous CAPTCHA-solving task requests to a
known CAPTCHA-breaking service that are targeting CAPTCHAs from Poshmark's
website. From the data we’ve gathered, these CAPTCHA-solving requests originated
from a known Poshmark bot.
What is more interesting is that these CAPTCHA-solving requests are routed via a
proxyware network. In addition to breaking CAPTCHAs via automation, Poshmark bot
operators also use proxyware utilities to further obfuscate their originating
IPs — an additional step to help them evade antispam measures.
In this case, the abusers used “Poshmark Pro Tools,” an advertisement tool that
Poshmark blocks. For a certain fee, this tool can be used to promote clothes,
shoes, or accessories in users’ Poshmark timelines and increase the likelihood
of Poshers bidding on them. To block such automated promotion tools, Poshmark
uses reCAPTCHA to ensure that people, and not bots, are promoting their items.
Poshmark Pro Tools uses the 2Captcha CAPTCHA-solving service to break reCAPTCHA
and mask bot activity.
Figure 2. A CAPTCHA-solving service advertises Poshmark Pro Tools
Case study 2: Murakami.Flowers NFT
Murakami.Flowers is a set of non-fungible tokens (NFTs) issued by a popular
artist named Takashi Murakami. This NFT sale, which happened in April 2022 to
preregistered users, was unique because of the popularity of the artist, and the
relative rarity of the NFT collection.
To make it as fair as possible for prospective buyers to purchase
Mukramami.Flowers NFTs, the organizers established the following guidelines:
1. NFT collectors must register their email address on the Murakami.Flowers
website.
2. After registration, the NFT collectors will each get an email which
contains a link to a website where they can register their wallets and
usernames.
3. This wallet and username registration will now serve as the NFT
collector's raffle entry into a lottery that aims to give all NFT collectors a
fair chance to mint or buy Murakami.Flowers NFTs.
After the NFT's public mint, the NFTs will also become available to the
secondary market.
Even before the lottery began, we observed numerous CAPTCHA-breaking activities
(which can be seen as red numbers on Figure 3), which primarily targeted the
Murakami.Flowers email registration site. Moreover, like in Poshmark's case,
these CAPTCHA-breaking activities were observed to have used the same
CAPTCHA-breaking service. And like in Poshmark's case, these CAPTCHA-breaking
activities were also observed to have used proxyware utilities to mask the
perpetrators’ originating IP addresses.
It should be noted that we were not able to identify the abusers of
Murakami.Flowers. However, we believe that the abusers wanted to register and
participate in the lucky draw to become eligible to purchase the NFTs at a lower
price (0.108 Ethereum). It’s possible that the abusers were looking into
reselling the NFTs, which have previously sold up to 5 Ethereum, to make as much
as 50 times more profit.
Figure 3. Murakami.Flowers seed price chart. Red numbers indicate the number of
2Captcha-using registrations that we have observed via the Trend Micro™ Smart
Protection Network™ (SPN).
Case study 3: Maximizing earnings from crypto faucets
Crypto faucets are apps or websites that give small cryptocurrency rewards in
exchange for completing simple tasks. These can be simple, straightforward
tasks, such as reading articles, watching videos, watching ads, playing games,
or completing quizzes. It should be noted, though, that these tasks can be risky
at times, especially when users are asked to select links and ads, or even solve
CAPTCHAs.
To maximize the amount of profit earned from crypto faucets, some actors attempt
to automate the completion of crypto faucet-related tasks by using bots that are
available in the market. However, crypto faucet websites typically implement
antispam measures to curtail bot-like behavior, such as integrating CAPTCHA
challenges on their websites. This is where CAPTCHA-breaking services come in.
We have observed CAPTCHA breaking activities that target CAPTCHAs in known
crypto faucet websites. The observed CAPTCHA-breaking web traffic primarily
targets login pages, where most CAPTCHA challenges typically reside. Moreover,
the observed web traffic suggests the use of bots, due to the frequency and
characteristics of the web traffic.
CONCLUSION
CAPTCHAs are common tools used to prevent spam and bot abuse, but the increasing
use of CAPTCHA-breaking services has made CAPTCHAs less effective. While online
web services can block abusers' originating IPs, the rise of proxyware adoption
renders this method as toothless as CAPTCHAs.
It is therefore imperative for online web services to use other antiabuse tools
in addition to using CAPTCHAs and blocking originating IPs. Though these tools
are still working as designed, cybercriminals can easily purchase paid services
that are specifically made to beat CAPTCHAs. As these services become more
affordable over time, it becomes more worthwhile for malicious actors to abuse
them. It is time to supplement CAPTCHAs and IP blocking with more robust
security measures. We will provide detailed information about the specific
security measures in an upcoming report.
Tags
Web | Research | Articles, News, Reports | Cyber Threats
AUTHORS
* Joey Costoya
Senior Researcher
Contact Us
Subscribe
RELATED ARTICLES
* How Connected Car Cyber Risk will Evolve
* Rust-Based Info Stealers Abuse GitHub Codespaces
* Info Stealer Abusing Codespaces Puts Discord Users at Risk
See all articles
Try our services free for 30 days
* Start your free trial today
*
*
*
*
*
RESOURCES
* Blog
* Newsroom
* Threat Reports
* DevOps Resource Center
* CISO Resource Center
* Find a Partner
SUPPORT
* Business Support Portal
* Contact Us
* Downloads
* Free Trials
*
*
ABOUT TREND
* About Us
* Careers
* Locations
* Upcoming Events
* Trust Center
*
Select a country / region
United States expand_more
close
THE AMERICAS
* United States
* Brasil
* Canada
* México
MIDDLE EAST & AFRICA
* South Africa
* Middle East and North Africa
EUROPE
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland
* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
ASIA & PACIFIC
* Australia
* Центральная Азия (Central Asia)
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* Монголия (Mongolia) and рузия (Georgia)
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
Privacy | Legal | Accessibility | Site map
Copyright ©2023 Trend Micro Incorporated. All rights reserved
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
This website uses cookies for website functionality, traffic analytics,
personalization, social media functionality and advertising. Our Cookie Notice
provides more information and explains how to amend your cookie settings.Learn
more
Cookies Settings Accept
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
Sumo