Cenzic 232 Patent
Paid Advertising
web application security lab

Human CAPTCHA Breaking

After almost a year, I’ve decided to re-visit an old post I wrote regarding solving CAPTCHAs for cash. Specifically, people that want to use Google or Yahoo to spam, by automatically signing up for thousands of email accounts which requires humans to solve CAPTCHAs for them. According to MessageLabs, webmail based spam represents approximately 4.2% of all spam on the Internet - pretty significant.

There have been a number of articles on the Internet about automatic solutions to CAPTCHAs, but honestly, I find those stories somewhat dubious at best. Firstly, I don’t believe the solution rate is all that high as some people are claiming (it’s possible, but I don’t believe it’s happened for Gmail or Yahoo mail at the moment - if someone has actual proof I’d love to see it), secondly it’s super easy to change an algorithm to make it non-solvable again - keeping the automatic solutions at bay long enough to build another algorithm and so on. Lastly, there are very few people with the sophistication and know how to develop and use these tools as a percentage of the people who spam.

However, none of this issues deter a human CAPTCHA solver. If you remember my last article on this, we were seeing the economics drop significantly to where this is suddenly worthwhile, and if you read the comments of that post even more of these CAPTCHA breaking crews are popping up all over the world. Why wouldn’t they? Someone is willing to pay for it, so why wouldn’t you, if your family needed food? Sure the money may or may not belong to the spammer, but legit or not, the money is still real enough.

That leads me to something I found on the Internet while I was searching for more information on the economics of it. During my searching, I happened across some job offers for CAPTCHA breakers (also known as data entry). The advertisement was pretty intriguing:

CAPTCHA breaking job offer
Click to enlarge

The way the job offer is written is like it’s a stay at home sales person, or some other sort of semi-professional position. Words per minute, 12 hour shifts, a PayPal account along with an internet connection appear to be the only pre-requisites. I thought it was fascinating. Also, the economics appear to have dropped significantly from the last article I wrote a year ago. Now people are being paid $1/1000 CAPTCHAs solved, rather than five to nine times that, which is pushing this market into different directions due to increased competition. Perhaps there are other additional benefits for using a more expensive Romanian service verses the cheap version the Philippines are offering.

Unfortunately, I haven’t seen the operations personally, so I have to speculate that it’s less about the service and more about the cost of operations in the various countries. If anyone is willing to show me their operation I’d love to see it. In the mean time I think we should think about what exactly CAPTCHAs are offering us, and how we are sponsoring micro-economies in countries based on fraudulent human form filling. Is that really the goal? Is it actually the deterrent we intended? Perhaps we should be looking at other/better options.

19 Responses to “Human CAPTCHA Breaking”

  1. yawnmoth Says:

    The practice of using people to solve CAPTCHAs is kinda similar to the practice of using people to mine gold in games. Sure, both can, in theory, be automated, but in practice, it’s just easier to pay people.

    More info. on gold farming:

    http://en.wikipedia.org/wiki/Gold_farming

  2. Why pay? Says:

    http://www.bluehatseo.com/creating-an-army-of-free-captcha-typers/

    personally i’m more for this method :)

  3. Shoaib Yousuf Says:

    Hi Roger,

    Very good research indeed.

    When Gmail was launched they initially started verification via SMS before signing up for Gmail account.

    I think that was really a cool idea to crack down CATPCHAs breakers

    Cheers

    Shoaib

  4. Awesome AnDrEw Says:

    While the job would appear to be overly mundane and repetitious to individuals living in more affluent countries I am quite sure it may be appealing to those under different economical situations where the standards of living are less than desirable. There are hundreds of these schemes available whether it’s “Gold Farming” as yawnmoth pointed out, pay-per-click companies, paid-to-surf websites, SPAM account registrations, et cetera. I believe a lot of us would be uninterested in these prospects, but there are many who become desperate due to their financial arrangement.
    What I am interested in is the “platform” being used to monitor the employees (I’ll use that term loosely). Being that the job is already of a questionable nature does anyone else wonder exactly how this “platform” works? I’m curious as to whether it is a basic remote administration tool, and if so whether or not the “employer” would go so far as to monitor other traffic, or use the workers for nefarious dispositions. With everything we’ve all discussed or looked at within the past few years in regards to issues like Cross-Site Request Forgeries (as an example I’ll point to a post made in 2007: http://sla.ckers.org/forum/read.php?14,9141,9141#msg-9141) surely it’s not too far-fetched.

  5. MiP Says:

    Automated solutions to captchas do work (I wrote one, but never sold it even though spammers are willing to pay some nice $$$ for it), and they work really well. Just make a little search for research papers in this area, they explain in detail how to write such automated captcha breakers. Any decent grad student can code it.

  6. CanadaRox Says:

    0×000000.com says otherwise about the Yahoo CAPTCHAs being cracked. Here is a link: http://www.0×000000.com/index.php?i=502&bin=111110110

  7. ehmo Says:

    Nice post. Here is your POC for yahoo captcha. http://network-security-research.blogspot.com/2008/01/yahoo-captcha-is-broken.html check it, it’s working fine

  8. Goblin Says:

    No, there is no “remote administration”, it is simply a web page that shows CAPTCHA, asks user to input data, and has a counter of successful entries.

  9. Istari Says:

    I wonder if they use some kind of pre-processing of the CPATCHAs. I know automatically solving them is quite hard (at least for the ones that are most interesting, like Yahoo’s or Google’s… others are really easy!), but sometimes even basic pre-processing saves a lot of time by making hard CAPTCHAs become somewhat easier and faster to solve…

    I’m pretty sure that any decent operation would have something like this in the framework for their employees…

  10. Awesome AnDrEw Says:

    @Istari
    I would imagine that most of the CAPTCHAs would be those found on such websites like Google, and Yahoo! were the potential for SPAM and its applications become much greater. I’ve run across a few CAPTCHAs written by “amateur” programmers for their own websites which can be easily circumvented using null bytes, a static key, or even bypassing it altogether in the request. While I have had PWNTCHA laying around for quite some time I’ve never really had a use for it, but at one point several years ago I was interested in writing my own OCR software for such applications.

  11. Istari Says:

    Well, I’m in the process of writing my own CAPTCHA-breaking software, applying a new concept (which I haven’t seen anywhere else) based on filters similar to those used in video processing… right now I’m only starting to develop this thing (let’s say it’s in pre-alpha status), but I think it’ll get going pretty soon, as I took some courses in the summer which have proven to be very helpful…

    Anyway, I’ve never had access to PWNTCHA (care to share?), but the other CAPTCHA breaking software I’ve seen around usually has the problem RSnake mentions in his post: it’s usually too CAPTCHA-specific, so even minor changes to the generating algorithm make whole programs totally useless…

  12. dusoft Says:

    Istari: useless only, if you are not trying to focus on one website… in that case (and case the captcha solving works), you’ve found a gold mine.

  13. Steve Says:

    I can only imagine how much of a boost that would give to the reCaptcha campaign (http://recaptcha.net/). At least one small positive to this situation, other than the people getting paid to do something like that.

  14. Anonymous Says:

    This is definitely targeted towards non-USA residents.. No American would have enough patience to type 1000 captchas for one dollar; I’m one example.

  15. BloomSofts Says:

    Hi All , This is BloomSofts Bpo company from india .

    We are doing only captcha work . We have professional typists to do the work very and accurate .We are offer the rate for 1000 captchas compare to others .Have 50 and more people for captcha work only ,.So any one need our service , let me know very soon .

    You can reach us on MSN, Skype, Yahoo Gtalk , and AIM as BloomSofts for quick contact.Thanks

  16. Ahsan Says:

    Dear Sir,
    Thanking you again and have a nice day. I am very much interested to join
    online captcha & all kind of data entry project. So i need your help. I promise you that
    always i give you support as your requirement. Pls give me a chance to
    join with your job.
    I am waiting your nice confirmation.
    Regards
    Ahsan
    My e-mail:ahsan_0115@yahoo.com

  17. Fazlur Rashid Shobuj Says:

    Hi,
    I’m Syed Fazlur Rashid(Shobuj). from Bangladesh.

    I would like to introduce with you. Because Iím looking for data entry (Captcha) work. I have a data entry worker group & we are a team of experienced Captcha entry personnel. We are looking for companies that would like long and short term captcha project & we are able to work for 24/7.

    I work at combining skills for producing material that will capture the attention of probable customers and being a certified establishment, you can depend on us for providing you with quality work

    So if u have data entry work project please contact with me for a very good quality work.

    with best regards

    Shobuj
    Email- shobujbof@yahoo.com
    Phone: +8801716684504.

  18. parfait Says:

    Dear sir,

    I’m searching work at home job which pay per minute or per hour in
    paypal account

    await your answer soon

    parfait428

  19. Bhatti_10 Says:

    Hi Sir!
    I have a vast experience of doing captcha entry and I have good
    team of expert persons for Captcha Entry. We can do captcha with
    good quality and 95+ accuracy and also at good speed. We have done different type of captchas such as MySpace Captcha with bot, Alpha, Alpha numeric and numerics Captchas. We are sure that we can give you a good ammont of captcha daily.
    So If you give us chance you will be 100% satisfied. Hoping for nice co-operation. Our net speed is very fast. Hoping for nice response. Waiting for ur mail.
    Have a nice time. Bye.