The cyber-underground menu of criminal services now includes on-demand, human-assisted CAPTCHA-breaking functionality, researchers are warning — meaning that website admins should look to implement additional anti-bot protections as a result. 

CAPTCHAs are familiar to most Internet users as challenges that are used to confirm that they’re human. The Turing test-adjacent puzzles usually involve typing in a word presented visually as blurred or distorted text, for instance, or clicking all photos in a grid that contain a certain object. The idea is to weed out bots on e-commerce and online account sites.

However, there has been a bit of a space race when it comes to CAPTCHA efficacy; tougher puzzles like those that present twisty letters or numbers to interpret can now be defeated by machine learning, for instance. That has sparked the rise of more advanced CAPTCHA challenges, such as rotating an askew object to be in its correct position, according to a recent Trend Micro analysis. However, cybercrooks now have options to get around these too.

"Online service operators face a slew of different challenges when automated Web traffic defeats CAPTCHAs not by using bots, but by using human CAPTCHA solvers," explained researchers at Trend Micro. "Several services that are primarily geared toward this market demand have been created."

To use a CAPTCHA-solving service, bot operators can create automated attack scripts that automatically capture the CAPTCHA when presented, sending it in real time via an integrated API call to the service provider, according to Trend Micro. The CAPTCHA-breaking service taps a human solver to work out the solution, and sends the answer back to the automated script a few seconds later to be input into the answer field on the targeted website.

The researchers noted that such services are seeing uptake; for instance, a recent real-world attack was observed on the Poshmark social commerce marketplace for buying and selling used fashion, home, and electronics items.

"Our observations show that there are numerous CAPTCHA-solving task requests to a known CAPTCHA-breaking service that are targeting CAPTCHAs from Poshmark's website," according to Trend Micro. "From the data we've gathered, these CAPTCHA-solving requests originated from a known Poshmark bot."