Threat-Actor Interest in Bypassing CAPTCHA

Flashpoint analysts have observed ongoing discussion of bypassing Completely Automated Public Turing test to tell Computers and Humans Apart—more commonly known as CAPTCHA—among threat actors on English-language Deep & Dark Web (DDW) communities.

CAPTCHA is intended to stop automated spam online by requiring users to verify text and/or imagery that is only recognizable to humans. Among the popular uses of CAPTCHAs are minimizing the efficacy of bots in implementing distributed denial-of-service (DDoS) attacks, creating email accounts, and/or purchasing event tickets. As such, threat actors who wish to automate these activities or other malicious operations have a vested interest in bypassing CAPTCHA.

Recent CAPTCHA-Bypass Chatter on the DDW

Flashpoint analysts recently discovered a threat-actor discussion of CAPTCHA bypass on an entry-level, English-language, black-hat search engine optimization (SEO) forum. One threat actor posed the question of how to bypass CAPTCHA using Python and Selenium scripts, and members responded with varying advice and suggested tactics. Common recommendations shared among threat actors included the use of various open-source and legitimate CAPTCHA bypass services, most of which are designed to aid individuals who are visually impaired or have dyslexia.

However, analysts also observed two illicit tools advertised as being capable of bypassing CAPTCHA for sale on DDW marketplaces. The first tool appears to be a stolen copy of a social-media marketing software that automates adding friends, while the second is a type of SEO software frequently abused by threat actors in order to spam internet forums and comments sections. The second tool claims to be able to “decode” more than 400 types of CAPTCHA in its default form, and can purportedly decode even more types with the use of a separately sold plugin. Flashpoint analysts have not confirmed the advertised functionalities of either tool.

The frequency of threat-actor discussions of bypassing CAPTCHA has been relatively consistent since July 2017, with the exception of a brief spike in January 2018, which does not appear to have been prompted by any particular post or activity.

Assessment

Since CAPTCHA is a vital tool for defenders’ efforts to deter automated web scraping, DDoS attacks, and other threats, bypassing CAPTCHA continues to spark dialogue and debate within the DDW. Given the current levels of interest in bypassing CAPTCHA, Flashpoint analysts believe that threat actors will continue to seek methods of defeating the program. Organizations that leverage CAPTCHA to defend their websites and networks from automated activity should be aware of threat actors’ ongoing efforts to bypass this test, and if these efforts prove to be successful adapt their security tactics accordingly.