Attackers are using optical character recognition and machine learning, as well as crowdsourcing through third parties, to solve a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart).
CAPTCHA is a challenge-response test used to ensure that the response is generated by a person, not a computer. Users are asked to read and type a string of distorted characters in order to ensure that the user is a human, not a computer trying to access a website or account.
“Attackers use automation in order to scrape data from websites…or add comments. Automation is a real problem for web applications. Application owners introduced the CAPTCHA, which gives a visitor to a website a test to determine whether it is human or automation”, explained Tal Be’ery, web security research team leader at Imperva’s Application Defense Center.
“Using our array of honey pots, we were able to see attacks that bypassed the CAPTCHA and allowed automation against these sites”, he told Infosecurity.
Be’ery explained that spammers are using third parties to solve CAPTCHA, so-called crowdsourcing. Through this technique, third parties establish networks of CAPTCHA-solving individuals who get paid a small amount to solve thousands of CAPTCHAs. Spammers then hire these firms to bypass CAPTCHAs for a modest price.
The Imperva report identified improved approaches to CAPTCHA that include using more difficult CAPTCHAs with simple riddles and contextual semantics, which are more difficult for automated tools to solve. These can be used when an automated web user is suspected.
In the report, Imperva advised anti-automation products to bolster CAPTCHA defenses with traffic-based automation detection, behavioral analysis, content analysis, and blacklists. “CAPTCHA should be combined with other mechanisms against automation”, Be’ery said.
The report recommended that CAPTCHA security should be balanced with a positive user experience. This can be accomplished by using novel CAPTCHA methods that make the CAPTCHA into something enjoyable, like a mini-game, and by minimizing the number of CAPTCHA challenges that legitimate users encounter.