CAPTCHA FARMS

CAPTCHA Farms are best defined as the mass use of human labor pools to solve challenges such as CAPTCHA, and other online puzzles designed to determine if a user is human or bot. 

‍

HOW CAPTCHA FARMS OPERATE

The CAPTCHA farm operators often partner with Bots as a Service (BaaS) providers and others on the dark web to offer a guaranteed way of always solving CAPTCHA, packaged up via an API queue. Remote labor forces, often in the Philippines and other countries with large low-cost labor supply, sit and solve CAPTCHAs all day-long. Each human is paid a very small fee for solving the CAPTCHAs.  Often the CAPTCHA farms are packaged with mobile and residential proxy services, and other Bots as a Service (BaaS) commercial packages, or open source bot scripting tools. This allows the bots to launch extremely large bot attacks while guaranteeing to pass CAPTCHA. This is a particular concern for new fake account creation scams and fraud.

The CAPTCHA farms operate as an API service, accepting inbound CAPTCHA requests from all the various clients, and then relaying the CAPTCHA challenges to their human workforce who are logged in and paid per challenge event. Fraudsters simply purchase the services from the provider, typically priced by the thousand.

Since they use humans - they will solve all types of CAPTCHA including the latest animation, puzzle and alignment CAPTCHAs, that are typically harder for machines to perform. That's why CAPTCHA can't be used to determine bots from humans.

The Use of AI to Solve CAPTCHA

While CAPTCHA Farms are mostly human, VerifiedVisitors started to see AI based CAPTCHA solving over 5 years ago, and the use of AI CAPTCHA farms has just increased exponentially. 

It’s not commonly understood that the originating purchase of CAPTCHA was not to keep the humans in slavery and misery, but to supply labeled data to the Machine Learning models. This constant supply of data, effectively trains the models to recognise, for example, human speech and images. 

While the world has been ‘busy’ solving billions of CAPTCHA, the machines have been busy learning to identify objects in photographs and to identify human speech in thousands of languages and even regional accents. Now, they are getting pretty good at it. I’m sure everyone has seen how the latest Generative AI models, can now, for example, write a poem from a landscape photograph even adding the correct geolocated references. 

Image recognition AI services are now widely available and the accuracy has leapt from all the billions of labeled data, which has exponentially increased the effectiveness of the machine learning algorithms. Aren’t you glad all that work to identify motorbikes, chimneys, street crossing and trucks was worthwhile? 

However, the unintended consequences are now coming home to roost - the AI can now solve the very same image recognition challenges better than the humans, because, unlike you, they have been trained billions of times and never sleep or demand a living wage.

Voice Recognition CAPTCHA

The first indication of the use of AI for CAPTCHA was for use in voice recognition CAPTCHAs. Typically these were used as accessibility alternatives to visual CAPTCHA. Bots suddenly started to hit the easier voice recognition options - using common AI voice recognition platforms. This is still a common bypass method. Telltale signs are a sudden spike in the accessibility CAPTCHA ratios. However, if the bots have been using this for a while, it may not be obvious until bot detection is used to clean all the data.

‍

Tell-tale signs that a CAPTCHA farm is solving your captures are obviously the additional time it takes to solve the CAPTCHA events. Once the CAPTCHA is packaged up, sent via an API across the world, queued and solved, and then finally passed back, this inevitably introduces a delay. This delay was one of the sure signs of the use of a human CAPTCHA farm. 

In the case of an AI CAPTCHA farm, the machines are able to solve the CAPTCHA much faster than the humans, and so the round trip to the CAPTCHA API and back is going to be about the same. 

As CAPTCHA becomes less effective, CAPTCHA vendors have responded by making their CAPTCHA more difficult, or introducing multiple CAPTCHAs. Not only has this terrible UX frustrated billions of users throughout the world, it’s resulted in a healthy supply of MEMEs venting frustration, but very little else.

‍

Economic Aspects of CAPTCHA Farming

Individuals who engage in CAPTCHA farming can earn money by solving CAPTCHAs. They are usually paid for each successful solution, creating a financial incentive to participate in this activity. The major region for the CAPTCHA farms seems to be the Philippines, where the workers are paid fractions of a dollar for each successful CAPTCHA completed. 

Implications of CAPTCHA Farming

CAPTCHA farming carries several significant implications:

* Security Compromised: CAPTCHA farming compromises the security of websites and online services. It allows automated bots to bypass these protective measures.

* Economic Impact: The practice can impact legitimate businesses that rely on CAPTCHAs for security and customer verification.

* Erosion of Trust: Users may lose trust in websites that are unable to protect themselves from CAPTCHA farming, leading to a decrease in user engagement.

The Dark Side of CAPTCHA Farming

Behind the scenes, CAPTCHA farming has a darker side:

* Exploitation of Cheap Labour: Some CAPTCHA-solving farms employ low-wage laborers, often in developing countries, to solve CAPTCHAs at a very low cost.

* Links to Cybercrime: CAPTCHA farms have been linked to cybercriminal activities, including data scraping, fraud, and the creation of fake accounts.

The Impact on Online Security

CAPTCHA farming raises questions about the effectiveness of CAPTCHAs in safeguarding online security. It's imperative to assess whether these traditional methods are still adequate in an era of advanced automation.

Detecting and Preventing CAPTCHA Farming

Instead of concentrating on using more and more difficult puzzles or challenges that can be solved in any event, and easily bypassed by the CAPTCHA farms as we have seen, VerifiedVisitors has a different approach.

VerifiedVisitors concentrates on detecting the telltale signs of the bots attacks. Even if the actual CAPTCHA is human-solved, the bot platform still needs to operate and thus gives away its origin under sophisticated examination by our AI platform.  It's vital to capture all the various telemetry events from the CAPTCHA service. For example, CAPTCHA serve to completion timing breakdown, expiration, total challenge completion time, so that you can at least use your existing tools to measure the basic data.

VerifiedVisitors uses Machine Learning Algorithms to evaluate the CAPTCHA completion. In a CAPTCHA Farm exploit, The CAPTCHA is passed onto an API service, and the tell-tale signs of this are identified. Although one clear sign is that using an API service will result in a latency for solving the capture, in real-life, humans don’t immediately rush to solve the CAPTCHAs as well. Just relying on the overall CAPTCHA solve and response time isn’t a good enough signal. As we have seen the latest AI based CAPTCHA doesn’t have this latency issue.

‍

Enhanced CAPTCHAs: Developers are continually working on creating more complex CAPTCHAs to deter automated solutions. This clearly does not stop the CAPTCHA Farms, it just takes them longer to solve, and annoys the 99% of legitimate users who just want to access a service.

Ethical Considerations

The ethical dimension of CAPTCHA farming is complex. It highlights issues related to labor exploitation and the responsibility of businesses to protect their users.

Legal Aspects of CAPTCHA Farming

The legal landscape surrounding CAPTCHA farming varies from one region to another. Some countries have taken steps to regulate or ban this practice, but their usage seems to be increasing.

Conclusion

CAPTCHA farming, while providing economic opportunities for some, poses significant challenges to online security and ethics. As we navigate this intricate terrain, it's essential to strike a balance between protecting websites and annoying users.