For years, thanks to the currently mature human-driven ecosystem offering CAPTCHA-solving as a service, cybercriminals have been persistently and automatically abusing major Web properties by undermining the “chain of trust” that these properties rely on so extensively.
Still living in a world supposedly dominated by malware-infected bots, this myopia has resulted in the rise of these managed services, rendering any recent CAPTCHA “innovations” useless since they continue relying on humans – the very species that CAPTCHA is supposed to be recognizable by in the first place.
Just how easy is it to automatically register tens of thousands of bogus accounts at, let’s say, YouTube? In this post I’ll profile a recently released tool that’s relying on API keys offered by a CAPTCHA-solving services, automating the account registration process in combination with the use of malware-infected hosts as proxies.
Sample underground market advertisement of the tool:
Sample screenshot of the actual tool:
What’s particularly interesting about this tool is the fact that every automatically created bogus account starts following another automatically created bogus account, leading to a self-serving, potentially fraudulent segment of fake users who will inevitably start commenting and liking each other’s videos in an attempt to artificially increase their popularity, thereby undermining YouTube’s reputation-based system.
The tool currently supports two managed CAPTCHA-solving services, primarily relying on API keys, and credit for a number of solved CAPTCHAs in real-time, which can be purchased from these services. Operating in the open for numerous years, these services are the cornerstone of the success of over a dozen spam tools.
Although one of the services embedded to be used in the tool is currently offline, the other is fully working and is currently using the following price list for prospective buyers:
- 5000 solved CAPTCHAs for $7
- 10,000 solved CAPTCHAs for $14
- 25,000 solved CAPTCHAs for $35
- 50,000 solved CAPTCHAs for $70
- 100,000 solved CAPTCHAs for $140
Based on the statistics offered by the service, the average time to solve a CAPTCHA is 9 seconds, with an accuracy rate of 94%, with the service relying entirely on low-waged CAPTCHA-solving employees typically based in developing countries.
We’ll continue monitoring this market segment, and post updates as soon as new developments emerge.