HOW BOTNETS BEAT CAPTCHAS
It’s really a genius system when you think about it, but if you’re not aware this is how it works in simplistic terms:
reCAPTCHA is a free CAPTCHA service that helps to digitize books, newspapers and old time radio shows.
Source: http://www.google.com/recaptcha/learnmore
So basically Google has scanned images of book pages that need to be turned into plain text. The best OCR out their cannot do it so they need humans to do it for them. But that’s expensive, and in a very innovative solution they now use sections of these book pages to use as an anti bot system. So in return for blocking automated bots from abusing people’s services, Google gets endless free human OCR.
Sweet deal huh?
So sweet that services have emerged to solve these CAPTCHAs cheaply for people who run spam/bot services that need to bypass these CAPTCHAs.
Indian Labor Zone
This is a CAPTCHA solving service that charges low rates to get these roadblocks solved for anyone with Paypal, Credit/Debit Cards, or many other payment gateways.
How do they do it? Cheap labor, and lots of it! They even force you to pay more at certain hours when their workers will be normally asleep so that they can attract more people to the night shift.
We rely on a workforce that is mostly located in South Asia and South-East Asia. The Nighshift Worker Compensation is intended to increase the amount of workers online during their nighttime, thus, increasing the overall capacity of the service. Please read here for more information.
Source: http://deathbycaptcha.com/user/faq
Not only that but they offer the service pretty cheaply, just take a look at their rates! Have 5,000 CAPTCHAs solved for only $6.95!
But I’m getting a little off topic here, the point is, humans are a much needed commodity in today’s shifty digital market. CAPTCHAs need to be solved and their are many people willing to pay money to have them solved.
So, the idea came to me that it shouldn’t be to hard to build a botnet that forces people to solve CAPTCHAs for you. Some malware convinces people to buy MoneyPak cards in order to get their computer working again so perhaps that sort of strategy could be used? But what would be a _believable _scenario where somebody would be forced to solve a CAPTCHA image?
I remember back to a crazy incident where Comcast (an ISP) started injecting Javascript into pages over HTTP. This is horrific for so many reasons but it’s completely true.
Not only were they injecting Javascript but they were doing it with poorly made Javascript which would no doubt break many pages that it was injected into. So we know that an ISP or two is willing to do dirty things such as this so why wouldn’t they also force people to verify that they’re human and not abusing Comcast’s precious internet service?
https://thehackerblog.com/captcha-solving-botnet-how-hackers-can-use-their-victims-for-more-than-just-computing-power/