History:

You want to log into your favorite website. After attempting to enter your password, you make a mistake, and you now need to re-enter your password while also clicking on all the squares with a bicycle. This service is used because bots cannot read and find every bicycle or stoplight or crosswalk the way a human would. All this to say, a website is more secure from bot attacks distributed from the internet… until recently.

Completely Automated Public Turing test or CAPTCHA has the ultimate goal of combatting any spam or automated tasks. These may be seen as annoying to the user but are a preventative measure to ensure that only human traffic is being processed. Coined in 2003 by researchers at Carnegie Mellon University, CAPTCHAs have been a standard for most security practices.

Clear and Present Danger:

Here is where things have changed. The CAPTCHA service can be called via an API. Threat actors are developing tools to forward these APIs to a CAPTCHA-solving service.  Customers can pay a premium to have actual humans solve and return a solved API call. Threat actors will forward that traffic to their bot network to appear as normal users.

The problem for the threat actors is needing to differentiate their origin IP. Another common security practice is to blacklist usual traffic coming from a single IP address. Trend Micro reported last week on the use of Proxyware.

Image by Kaspersky Daily

With the promise of easy passive income, websites are offering users the chance to share their computing power and/or unused internet bandwidth from their ISP. A user simply needs to make their computer accessible for Peer to Peer (P2P) connection to the hosted services. A paying customer will be given proxy connections from these hosted IP addresses. While there are some legitimate need cases for these services, it is very open to abuse from threat actors. See examples posted by The Hacker News.

Who Is At Risk?:

Social e-commerce sites have been target number 1 for these attacks. Poshmark is a popular site that integrates social media and offered item sales. To boost that promotion, bots can be used to like, comment, subscribe, etc. Trend Micro reported on this at the end of May 2023. Any website that offers some kind of payout through added usability can also see an uptick in Proxyware abuse.

Crypto faucets are apps or websites that give small rewards in the form of cryptocurrency to those that are able to complete simple tasks. This was made popular by the introduction of the Bitcoin Faucet referenced in this article by Poloniex.

Brute force activity such as SQL injections are possible. Origin IP addresses will be obfuscated from things like Cloudflare blacklisting solutions. Threat actors are able to continue attacking website login or registration pages that are filtered only with only a CAPTCHA. This can cause companies valuable resource usage or pose other dangers.

Mitigations:

Dependent on the environment and other security measures, CAPTCHAs are simply not an effective measure for total mitigation. Obfuscation of origin IP addresses means blacklisting unusual traffic also poses a challenge. A company should set up alerts that monitor average account usage and creation. A spike may indicate an attack. While this does not stop an attacker, it will at least give a time reference for needed action.

While this is still a niche and emerging threat, the potential for attack is massive. Network service companies will be exploring mitigation efforts, but do not expect an immediate solution. This is challenging for all providers and the cybersecurity posture at large.