CAPTCHA – Completely Automated Public Turing test to tell Computers and Humans Apart – forms verify human users from automated programs; bots.
CAPTCHA tests are commonly used on email login pages, forums and comment sections of blogs to prevent spam bots and automated brute force attacks. CAPTCHA tests have evolved over the years as threat actors have developed various sophisticated methods for bypassing and accurately completing the forms.
In part one of our CAPTCHA evasion techniques series, we discuss what CAPTCHA tests are, how have they evolved, why they’re still relevant and why threat actors are trying so hard to bypass them.
What are CAPTCHA tests?
We’ve all come across CAPTCHA tests during our hundreds of hours spent on the internet as we try to access various accounts, leave comments or connect to a chat. Created in 2000 at Carnegie Mellon University, CAPTCHA is now used by sites around the globe in an attempt to curb the vast quantity of automated activity causing chaos on the internet.
How have CAPTCHA tests evolved?
CAPTCHA tests of old would ask users to type out a sequence of numbers and letters in the box:
You’re now more likely to be presented with a series of images or an “I am not a robot” tick box.
However, CAPTCHAs are not foolproof. In fact, they’re quite the opposite. You may even have watched the YouTube videos of robot arms solving CAPTCHA tests; particularly the earlier iterations.
Does CAPTCHA work?
CAPTCHA tests remain fundamental to the web/sec admin’s detection and response arsenal, reducing the number of spam bots making their way through to a website or minimising the effects of a brute force attack.
This continued use of CAPTCHA tests means there are still bot operators out there using various techniques to trick the system.
How do hackers bypass CAPTCHA?
As early as 2007, Sophos identified that cybercriminals were building trojan viruses that infected Windows operating systems by asking users to complete CAPTCHA challenges to reveal explicit images. Essentially, hackers were using the public to solve all of Yahoo’s CAPTCHAs.
Image and audio recognition – Taking on Google with Google
In 2016 Jason Polakis a computer science professor from the University of Illinois, published a paper detailing his use of Google to reverse the search engine’s own image search functionality and solve Google’s image CAPTCHAs with 70 per cent accuracy.
Polakis was also able use Google’s audio recognition programs to solve its audio CAPTCHA challenges.
Coming up in part two
In part two, we discuss one of the most commonly used CAPTCHA evasion techniques, CAPTCHA farming.
We’ll be lifting the lid on what CAPTCHA farms are, who uses them and what it’s like to work in CAPTCHA farm for a day.
make informed decisions about how much you want to invest in acquiring new users.