CAPTCHA – that annoying security measure that many online service providers use to make sure you are a human and not some spam-bot, has spawned an entire IT sub-industry of service providers whose only goal is to break it. CAPTCHA and similar techniques attempt to foil automatic account creation by forcing users to identify a distorted image, usually depicting some string of text. The idea is that Optical Character Recognition (OCR) software isn’t strong enough to overcome the distortion and reliably identify the characters, but humans generally are. Naturally, as soon as this type of protection gained widespread use, hackers started developing ways to defeat it. It was only a matter of time before people figured out ways to monetize these techniques.

Dancho Danchev, writing for ZDNET, has uncovered some emerging trends in the thriving CAPTCHA-solving business. First, the spammers were using the techniques to quickly create large numbers of accounts on free email services like Gmail, Yahoo, and Hotmail, and using them to send spam and commit fraud. Since the emails originate from such mainstream service providers, blacklisting the domains is out of the question. Soon enough, 3rd party providers started offering CAPTCHA solving as a service for hire, and engaged in online selling of large blocks of free email accounts for use by spammers.

Like most malicious activity on the internet these days, the business model and technology surrounding this illicit endeavor is evolving rapidly, and borrowing heavily from the legitimate IT industry. Using the latest technology, re-using and sharing code and algorithms, and following the teachings of “best practices” has greatly enhanced the efficiency of these groups. Add to that the power of outsourcing the work to some of India’s premier data-processing teams, and you have a real growth industry.

These companies are recruiting. With ads that promise flexible schedules and challenging work from the comfort of your home, they are attracting a large contingent of technically savvy workers. In India particularly, the CAPTCHA breakers reportedly earn up to 10 times their legitimate data processing wages. There and elsewhere, some participants may not even be aware that they are engaged in a nefarious undertaking, because the services are marketed as “password recovery” and other legitimate-sounding services.

As Dancho says in one article, “No CAPTCHA can survive a human that’s receiving financial incentives for solving it.” With an army of dedicated solvers, the future of text-based CAPTCHA as a protection mechanism seems bleak.

Author: Christopher