Last week, I wrote about a “bulletproof hosting” provider that offers dodgy Web hosting that is insulated from takedown by abuse complaints or requests from Western law enforcement agencies. Today, I’ll look at one of that bulletproof provider’s biggest clients: Captchabot.com, a service that automates the solving of “CAPTCHAs,” those annoying agglomerations of squiggly numbers and letters that many online services require users to solve to help ensure that new accounts are not being auto-created by a computer.
These so-called reverse Turing Tests can be exasperating for legitimate users, but these days they are little more than a speed bump for those who specialize in mass-creating bogus new accounts at popular online destinations like Facebook, MySpace, YouTube for use in spreading spyware and pimping spammy Web sites.
That’s thanks largely to services like Captchabot, which automate the solving of CAPTCHAs with the help of low-paid workers in China, India and Eastern Europe who earn pennies per hour deciphering the puzzles.
Captchabot charges clients based on how many thousand CAPTCHAs they ask the service solve: $1 buys about 1,000 solved CAPTCHAs. The service claims at least an 80 percent success rate, and customers only pay for CAPTCHAs that are solved correctly.
In their seminal paper (PDF) on CAPTCHA-solving services, researchers at UC San Diego earlier this year tried to estimate how many employees it would take to solve the daily workload of CAPTCHAs fed to the various services. The researchers guessed that Captchabot.com would need to have between 130 and 200 workers available more or less around the clock (for a look at how these services performed against CAPTCHAs required by MySpace, Google, Wikipedia and others, see this graphic.)
The researchers also sought to learn where most of the puzzle-solving workers resided, so they fed Captchabot and other services a variety of CAPTCHAs from different languages. The results, shown in the screen shot here, indicated that most of the workers were Chinese, English and Russian speakers.
I contacted the owner of Captchabot.com, a hacker named Mirko Res, via online chat to see if I could fine-tune the UCSD estimates on the number of workers employed by the service, but he was unwilling to give an exact figure (“under NDA,” he explained). He did say, however, that the majority of the workers employed by his service live in Belarus, and that workers are only passed puzzles that can’t be solved by the service’s automated CAPTCHA-guessing algorithm.
“They using it for legal Webspam, like blog comments,” Res said of his operation’s customers. In fact, a widely-used forum- and blog-spamming tool known as XRumer relies exclusively on Captchabot to deliver its CAPTCHA-cracking capability.
Other services that leverage Captchabot are far more plainly oriented toward illegal activity. Take, for instance, the program pictured here, a $10 product called Verified by Visa Checker. According to its author, the program takes a list of credit card numbers and checks to see if any of them already are enrolled in the Verified by Visa anti-fraud program.
In the same hacker forum where I found the Verified by Visa tool I stumbled upon a discussion in which members were talking about a way they’d found to add credits to their Captchabot.com accounts without paying. I pinged Res about this, and he thanked me and said he’d sewn up the vulnerability, but not before fraudsters had used it to solve millions of CAPTCHAs for free.
While Captchabot only accepts virtual currencies such as Webmoney for payment, other solving services named in the UCSD paper accept more traditional forms of payment, including credit cards. DeCaptcher, shown in the screen shot below, somehow is able to continue accepting both Visa and Mastercards for its service, even though according to one trusted source in the criminal hacker underground, a large number of DeCaptcher customers pay for the service using stolen credit card data.
Even at a fraction of a penny per solved CAPTCHA, it wouldn’t take long for fraudsters to rack up sizable charges using à la carte features that these services advertise. For example, DeCaptcha and Captchabot allow customers to offer payment over the market rate in exchange for a higher priority access to solvers when demand for system resources is high.
In the course of reporting this blog post, I signed up for an account at DeCaptcher and was mildly amused when the service asked me to solve a CAPTCHA before it would let me create an account. Unsurprisingly, DeCaptcher’s home page is littered with ads for third-party services that depend on its puzzle-cracking technology.