CAPTCHA Automation/Farm-Threat to Web/Mobile App Security Solution Provider

What are “CAPTCHA Farm” Services?

CAPTCHA Farm services refer to companies or platforms that provide solutions for automating or outsourcing CAPTCHA-solving tasks. CAPTCHA, which stands for Completely Automated Public Turing Test to Tell Computers and Humans Apart, is a security measure used on websites and online services to verify that a user is a human, not a bot.

CAPTCHAs typically present users with a challenge or puzzle that is easy for humans to solve but difficult for automated bots. This could involve identifying distorted letters or numbers, selecting specific images, or solving simple math problems. The purpose of CAPTCHAs is to prevent automated bots from accessing or spamming websites.

However, some individuals or organizations may require large quantities of CAPTCHAs to be solved quickly and efficiently, which can be time-consuming and resource-intensive if done manually. CAPTCHA Farm services aim to address this need by offering automated systems or a large workforce of human workers to solve CAPTCHAs in bulk.

These services may employ various methods to solve CAPTCHAs, including advanced image recognition algorithms, machine learning techniques, or crowdsourcing through a distributed network of human workers. The CAPTCHA Farm service typically provides an API or interface that developers can integrate into their applications or scripts to access the CAPTCHA-solving capabilities.

It's worth noting that while CAPTCHA Farm services can be helpful to for legitimate purposes, they can also be exploited by malicious actors. Bots and spammers may employ such services to bypass CAPTCHAs and carry out activities like creating fake accounts, submitting spam, or performing automated attacks. Therefore, website owners and service providers need to balance the convenience of CAPTCHA Farm services with the potential risks to their security and user experience.

How to use “CAPTCHA Farm” as a service?

There are multiple paid and open source farm solutions available in the market and out of them, 2captcha and? captcha.io are always standing out because of the nature of the service and the result of solving captcha. In the diagram below, we will try to represent how a farm service works in general.

Great article to read, published by Forbes back in 2022, “You Didn’t Know Bots Solve Captchas, And Do Pharming With Humans”.?

What are the ways to use “CAPTCHA Farm” Services?

Browser Plugin

1. Add an extension to Chrome?

2. Sign up on a https://2captcha.com?

3. Deposit funds to the balance?

4. Add an account key to the extension.

API

1. You can signup and get an API key from your account settings page which is a unique authentication token to each user. It's a 32-characters string that looks like this: 1abc234de56fab7c89012d34e56fa7b8. This key will be used for all your requests to our server.
2. Submit an HTTP POST request to 2captcha API URL: https://2captcha.com/in.php with parameters corresponding to the type of your captcha. The server will return a captcha ID or an error code if something went wrong.
3. Make a timeout: 20 seconds for reCAPTCHA, and 5 seconds for other types of captchas.
4. Submit an HTTP GET request to our API URL: https://2captcha.com/res.php to get the result.

If the captcha is already solved, the server will return the answer in the format corresponding to the type of your captcha.

By default answers are returned as plain text like: OK|Your answer. But the answer can also be returned as JSON {"status":1,"request":"TEXT"} if the JSON parameter is used.

If the captcha still needs to be solved, the server will return the CAPCHA_NOT_READY result. Repeat your request in 5 seconds.

If something goes wrong the server will return an error code.

“CAPTCHA Farm” Vendors in the Market

“CAPTCHA Farm” Analysis

During our analysis of CAPTCHA request samples , we've come across an intriguing observation. The following points outline our findings:

1. Time Taken to Solve CAPTCHAs -?One of the primary elements under scrutiny is the duration taken to solve the CAPTCHA. A prevalent trend identified is that CAPTCHA farms and automated scripts exhibit a success rate approximately 30-50% faster than that of regular users. Interestingly, simpler CAPTCHAs are often solved at an even faster pace, while more intricate ones require additional time. This discrepancy in solving time becomes even more pronounced for genuine users.
2. Comparison between CAPTCHAs Served and CAPTCHAs Submitted - This situation arises when CAPTCHA is directly served rather than being routed through a legitimate browser. To detect this, the system must monitor instances where the CAPTCHA is displayed to verify whether the associated code responsible for rendering the CAPTCHA is also loaded. If the code is absent but the CAPTCHA is still successfully solved, the system should promptly notify the engine. This notification enables the engine to make an informed decision regarding the nature of the visitor – whether they are a human or a bot.
3. Trend Analysis of Successfully Solved CAPTCHAs - Another interesting observation arises during instances of substantial bot attacks, followed by their subsequent blockage by the solution provider. Following a cooldown phase, a sudden surge in CAPTCHA solvers becomes apparent. This provides valuable insight for the analysis of CAPTCHA data. Notably, incoming requests are identified originating from sources without proper browsers or originating from the same DCH. A fresh wave of requests emerges, characterized by malicious behaviors and attempted CAPTCHA submissions.

How to use “CAPTCHA Farm” as a service?

Steps to use utilize farm CAPTCHA

Install the available package from the GitHub link here.

=> Now let's configure by using the below 2 steps

• TwoCAPTCHA instance creation

$solver = new \TwoCaptcha\TwoCaptcha('YOUR_API_KEY')        

• Advance Configuration

      ???$solver = new \TwoCaptcha\TwoCaptcha(
      ????'server' ? ? ? ? ? => 'https://rucaptcha.com',
      ????'apiKey' ? ? ? ? ? => 'YOUR_API_KEY',
      ????'softId' ? ? ? ? ? => 123,
      ????'callback' ? ? ? ? => 'https://your.site/result-receiver',
      ????'defaultTimeout' ? => 120,
      ????'recaptchaTimeout' => 600,
      ????'pollingInterval'? => 10,
      ]);[        

=> Function to solve captcha reCAPTCHA v3

???$result = $solver->recaptcha(
????'sitekey' => '6Le-wvkSVVABCPBMRTvw0Q4Muexq1bi0DJwx_mJ-',
????'url' ? ? => 'https://mysite.com/page/with/recaptcha',
????'version' => 'v3',
]);        

=> Error handling method

try 
$result = $solver->text('If tomorrow is Saturday, what day is today?');
} catch (\TwoCaptcha\Exception\ValidationException $e) {
????// invalid parameters passed
} catch (\TwoCaptcha\Exception\NetworkException $e) {
????// network error occurred
} catch (\TwoCaptcha\Exception\ApiException $e) {
????// API responds with an error
} catch (\TwoCaptcha\Exception\TimeoutException $e) {
????// captcha is not solved so far
}        

Reference Video

Possible Ways to defeat CAPTCHA Solver/Farm

Fixing? CAPTCHAs Design Flow-While analysis it has also been noticed that there are few design flows in the CAPTCHA ecosystem from rendering to farm submission.

1. Fixing Timestamp issue between captcha vs timestamp captured from client browser
2. Fixing Checkbox problem (when an attempt is made by a captcha solver) and Success Call of Submission
3. Identify new div insertion in CAPTCHA while using solver plugin

Building In-House- Having in-house captcha is a costly operation to do, but in long term this allows to have below advantage.?

1. Farm Proof Solution
2. Risk assessment and Fraud score allocation
3. Flexible Response
4. Improve Internal BotM Module

Analyst Verdict

As the realm of web and mobile app security solutions expands, bots are concurrently evolving to cleverly circumvent and navigate the challenges presented by vendors. As we observe this ongoing battle, it becomes abundantly clear that continuous learning is imperative in this field. With each passing day, as this sector matures, the necessity for ongoing education becomes all the more evident.