Blog, Events & News

Part two: What are CAPTCHA farms?

By Netacea / 08th Nov 2019

In part one of our CAPTCHA series, we discussed how CAPTCHA works and how it is used to effectively stop bots. In part two, we take a deep dive into one of the most commonly used CAPTCHA evasion techniques, CAPTCHA farms.

First thing’s first, let’s understand a little more about what a CAPTCHA farm is and how they came in to being.

CAPTCHA farms are a thriving business and have been for over a decade; ever since the likes of MySpace, Google and YouTube started using CAPTCHA to block the hoards of spam bots from accessing their sites for nefarious purposes. For instance, spam bots will send hundreds of requests per minute to overwhelm and take a website offline, or post messages in comment boxes that are embedded with phishing links or hyperlinks to another website to improve that site’s search rankings.

This is not the type of activity that any well-run business wants to see going on, and most strive to put a stop to it, while other organisations are built on the very premise of enabling this malicious behaviour.

How do CAPTCHA farms work?

CAPTCHA farms bridge the gap between bot operators and the site they want to access via a CAPTCHA form.

Essentially, the bot will be integrated with a third-party API, so that when faced with a CAPTCHA test, the request is sent to a CAPTCHA farm to be completed by a real human. The human generated, correct response is then sent to the bot, which is now able to successfully solve the CAPTCHA test on the web application and verify its “humanness”.

There are other ways to evade a CAPTCHA test using bots, including Optical Character Recognition (OCR) and audio to test services, but we focused our research on the multi-million-dollar industry built around CAPTCHA farms.

Undercover at a CAPTCHA farm

In our efforts to really get to grips with how CAPTCHA farms work, a group of Netacea researchers decided to sign up for one of the many CAPTCHA farms readily accessible on the world wide web.

We identified an appropriate organisation for our research and upon accessing the site, quickly realised it had all the required look and feel of a well-established, well-run business. It even had customer stats, information for employees, developer areas, FAQs, news referral schemes and how-to-guides. The business was even using social media to advise employees about rotating their IPs.

On becoming officially registered employees, we began our CAPTCHA solving training and our progress was monitored and moderated by the organisation. That way, they could ensure accuracy, prevent detection and justify their customer’s expenditure.

We were then ready to start solving CAPTCHAs and for the money to start rolling in; or so we thought.

How much money can I make working in a CAPTCHA farm?

We quickly discovered that while this industry is lucrative for some, it’s built on the backs of citizens from economically-deprived countries who operate in a fleet of digital sweatshops.

In half an hour, our best researcher earnt 0.0087p. You would need to solve a LOT of CAPTCHAs to earn an average £18k salary.

This led us to dig deeper into the CAPTCHA farming economy. We found that employees earn $0.17 (£0.13) per 1000 CAPTCHAs solved, and $1 (£0.76) per reCAPTCHA; using the USD to GBP conversion rate of 1 USD = 0.76 GBP.

According to the image CAPTCHA renumeration figures above alone, a single employee at the chosen business would need to complete 100 million CAPTCHAs to earn £13k.

How much does it cost to farm out CAPTCHA challenges?

We were unable to find a hard and fast figure charged by CAPTCHA farms for their services, but we did estimate the discrepancy in how much it would cost a bot operator to farm out CAPTCHA 1000 challenges and how much the “farm” would earn per worker.

Applying the same USD to GBP conversion rate, a bot operator will spend £0.68 per 1000 CAPTCHAs and £2.28 per reCAPTCHA.

If we deduct the £0.13 paid out to the employee per 1000 image CAPTCHAs, the business earns £0.55 per 1000 and £55,000 for every 100 million CAPTCHAs solved. And that’s where we find the big bucks.

Clearly CAPTCHA farming isn’t going to go away anytime soon, and CAPTCHA continues to play a critical role in most cybersecurity solutions. However, CAPTCHA is not enough on its own.

How Netacea helps

Netacea takes a smarter approach to bot management. Our Intent AnalyticsTM powered by machine learning quickly and accurately distinguishes bots from humans to protect websites, mobile apps and APIs from automated threats while prioritising genuine users. Actionable intelligence with data-rich visualisations empowers you to make informed decisions about your traffic.

Talk to our team of data scientists today to discover more about our pioneering approach to bot management.

Bot Management