CAPTCHA and reCAPTCHA are common on all websites that require user interaction and completion of online forms. Although they were a bit annoying in the beginning, as the technology driving CAPTCHAs evolved to the Google reCAPTCHA standard, they have become less.
The question on the table is, however, how safe are they? Can they be fooled? For many years, CAPTCHAs have been the first line of defense against spambots, fake traffic, and Denial of Service (DoS) attacks. With most businesses and organizations having a significant online presence these days, when threat actors successfully sidestep the controls of CAPTCHA, they can severely damage the credibility of these organizations’ online marketing campaigns and reputations.
What is CAPTCHA?
In the 1950s, computer scientist Alan Turning developed a test where a computer was challenged to exhibit human characteristics through written communication. This test laid the foundation for future computer scientists to develop and utilize this conceptual methodology to create the CAPTCHA.
CAPTCHA (Completely Automated Turing test to tell Computers and Humans Apart) was designed to challenge users on web forms and authentication. Malicious actors build automated applications to fill out forms and click buttons on websites at great speeds. This can cause increased costs to organizations, wasting the time and budget of their sales teams.
Because of this challenge response’s effectiveness in blocking malicious spam bots, CAPTCHA quickly became the preferred method of dealing effectively with spambots.
CAPTCHA generates a distorted image from the source code and presents the user with the image as a visual challenge. The user would then analyze the image and respond to the prompt by supplying a plain text qualifier.
Vulnerabilities of CAPTCHA
What is concerning, though, is that CAPTCHA could be bypassed and become useless when exploited by threat actors.
Much like click farms, threat actors might employ real people to access websites they would like to target with spam. These farms usually consist of many workstations or mobile devices operated by malicious actors who engage with an organization’s website to enter nonsensical information. Since they are real human beings, they can decipher CAPTCHAS normally.
By utilizing a mechanism called Cross-site scripting, threat actors might be able to gain access to the personal information of your clients. Cross-site scripting (XSS) is an attack in which a malicious script is injected into the code of a trusted website. An XSS attack is frequently initiated by sending a malicious link to a user and tempting the user to click on it.
If the app or website does not correctly scrub its data, the malicious script executes the threat actor’s code on the user’s system. As a result, the attacker can steal the active session cookie from the user and, in this case, the CAPTCHA. This kind of attack can easily happen unbeknown to the user.
Optical Character Recognition Software
By using modern Optical Character Recognition (OCR), threat actors can solve most CAPTCHA challenges presented by your website. In the early days of CAPTCHA, OCR technology was still not advanced enough to decipher the mangled text used by the challenge. In recent years, OCR technology has evolved so much that cloud-based OCR bots can easily decipher the deformed text.
Since CAPTCHAs offer multiple tries for users to meet the challenge, threat actors can run their OCR software across the CAPTCHA challenges multiple times before being denied access.
Artificial Intelligence Engines
Some malicious actors even go as far as resorting to complex artificial intelligence (AI) engines. These AI engines have neural models at their core, learning how to decipher CAPTCHAs the more they are exposed to them.
While modern reCAPTCHA’s utilize far more complex mechanisms than simply presenting a user with a challenge, many websites have still not moved to the latest technology. Google’s engine behind this technology reportedly uses biometrics such as mouse movements, browser history, and IP addresses to interactively verify whether the “person” using the website is human or a bot.
Businesses and organizations need to understand that threat actors are becoming extremely cunning and that cyber security systems need multiple layers of security to be effective. A comprehensive security platform will help organizations detect and block malicious traffic in real-time, whether the source is paid or natural, and will provide better insight into marketing analytics.
To learn more about how click farms and bots bypass CAPTCHAs and how to stop them, visit this page.