Unsolvable Captcha

U

I Was a Human CAPTCHA Solver | F5 Labs

I Was a Human CAPTCHA Solver | F5 Labs

In our recent 2021 Credential Stuffing Report, we talked about the prevalence of credential stuffing attacks and the bot technology that attackers use. In my past life as a law enforcement and intelligence officer, I was often surprised by the innovation and maturity of the “businesses” and services that cybercrime entrepreneurs develop. As head of the Shape Intelligence Center, I continue to watch our adversaries evolve, and I like to see for myself how common tools and services used against our customers operate, when I can. One key service that cybercriminals use is CAPTCHA bypass. This is what I found when I went to work for a CAPTCHA-solving click farm.
What are CAPTCHAs?
Before diving into the details, let’s take a moment to review what CAPTCHAs are and how they work. CAPTCHA is a backronym for Completely Automated Public Turing test to tell Computers and Humans Apart. CAPTCHAs were first implemented in the late 1990s1 as a rudimentary reverse Turing test to help websites filter out growing volumes of problematic bot traffic. CAPTCHAs come in many forms including those shown in Figures 1 and 2.
Figure 1. An example of a traditional CAPTCHA.
Figure 2. A reCAPTCHA presents an “I’m not a robot” checkbox to the user. A challenge like the one on the upper right is triggered if Google reCAPTCHA thinks the user might be a bot.
CAPTCHA Solvers
CAPTCHAs provided a good defense against automated attacks when they were first introduced nearly two decades ago, presenting an obstacle that the early generations of bots couldn’t easily overcome. However, as bots evolved and started solving CAPTCHAs, the CAPTCHAs started to get even more complex and difficult for humans to solve, such as the CAPTCHA shown in Figure 3.
Figure 3. An actual but unsolvable CAPTCHA.
In 2013, Google researchers used Google’s deep convolutional neural network to solve the “hardest category of reCAPTCHA” and obtained 99. 8% accuracy. Over the last 20 years, my success rate has hovered around 50-70% so now I become increasingly annoyed every time I encounter any form of CAPTCHA. Today, we’re at a point where bots solve CAPTCHAs more quickly and easily than most humans. The bots are not, however, using deep convolutional neural networks as Google did. They’re using third-party CAPTCHA solving services and applications instead, a few of which are highlighted in Figure 4.
Figure 4. A simple Google search turns up dozens of CAPTCHA solver services and apps.
While the variety of alternative ways to bypass CAPTCHA faster and more efficiently has grown in recent years, the original human click farm solution remains most accessible and popular. Aside from those who develop and run these services in the background, a human CAPTCHA solving service basically revolves around the human workers solving CAPTCHAs and the “customers” who purchase their output to keep their automation running on CAPTCHA-protected sites. To see firsthand how both sides of this business work, I signed up as both a solver and a customer with the Russian CAPTCHA solving company, 2Captcha.
The Mechanics of Using Solvers
So how does this process actually work? The steps below outline how an automated attack can leverage this human labor when required. In most cases, a diligent attacker will conduct reconnaissance on a target site ahead of time, during which CAPTCHA would be identified as a requirement. Once an account is created and set up (in this case, with 2Captcha), the general process is illustrated in Figure 5.
An attacker using a bot connects to a website that presents a CAPTCHA challenge.
The bot captures an image of the CAPTCHA and sends it to 2Captcha via 2Captcha’s API.
2Captcha sends the image to one or more humans to solve.
2Captcha sends the solved CAPTCHA back to the bot via the API.
The bot submits the correctly solved CAPTCHA to the website.
The website incorrectly categorizes the bot as human and allows it to proceed.
Figure 5. How CAPTCHA solver services use human labor to solve traditional CAPTCHAs.
For reCAPTCHAs that present an “I’m not a robot” checkbox on the target website (see animation in Figure 6), the process for circumventing the CAPTCHA is slightly different.
The bad actor’s bot uses 2Captcha’s API to instruct one of the human workers to visit the target website and manually check the “I’m not a robot” checkbox themselves to solve the CAPTCHA.
The human solver gets a token for the solved CAPTCHA (because they are human).
2Captcha passes the token to the bad actor’s bot via the API.
The bad actor’s bot submits the valid token to the target website.
All these steps can be done through a proxy, so the process is completely transparent to the website.
Figure 6. How CAPTCHA solver services use human labor to solve ReCAPTCHAs.
As Figures 5 and 6 illustrate, CAPTCHA solver services have made it possible for attackers to completely circumvent CAPTCHAs, including Google’s latest version called CAPTCHA Enterprise (not shown here).
The Business of Human CAPTCHA Solvers
In many respects, CAPTCHA solver services operate like any legitimate enterprise, and they are clearly in business to make a profit. While the fees they charge “customers” (attackers) might be considered reasonable, the business model is weighted heavily against CAPTCHA solvers. And with relatively low overhead, the profit margin is attractive.
Isn’t this illegal? Not really. Solving a CAPTCHA isn’t the same as hacking a server or taking over an account. It may be a violation of a site’s terms of service, and it may enable a criminal act (e. g., credential stuffing), but the user of the service is the perpetrator, while the service itself can claim ignorance of its customers’ intentions. Even so, many of these companies are located overseas; 2Captcha, for example, is hosted in Russia.
How Much Does the Service Cost?
2Captcha charges customers different rates depending on the type of solved CAPTCHAs they want to purchase. Traditional CAPTCHAs cost customers $0. 75 per 1, 000. In comparison, solved reCAPTCHAs cost customers $2. 99 per 1, 000—almost four times as much as traditional CAPTCHAs (see Figure 7).
Figure 7. “Customers” (attackers) pay almost 4 times as much for solved reCAPTCHAs as traditional CAPTCHAs.
Notice the additional stats shown in Figure 7: solving speed, service load, and workers online. This is valuable data for the customers paying these rates and making purchasing decisions, and it is updated in near real time.
F5 Labs Newsletter
One email per week, with newsletter exclusives
Latest security research insights
CISO-level expert analysis
The information you provide will be treated in accordance with the F5 Privacy Notice.
Great! You should receive your first email shortly.
Welcome back! Need to change your email or add a new one? Click here.
I Became a Human CAPTCHA Solver
Getting started as human CAPTCHA solver is one of the easiest things I’ve ever done. I set up an account as a solver (and a customer) simply by providing an email alias. The website has a very user-friendly, intuitive interface with step-by-step instructions, tutorials, and tips for solving CAPTCHAs. After exploring the site a bit, I began the training.
My Training as a Solver
Figure 8 shows an example of the training for solving traditional CAPTCHAs. Sample CAPTCHAs are shown on the left, the correct answers in the middle, and descriptions on the right. It’s evident that the support pages are not written by a native English speaker, but the instructions and execution were simple enough and I quickly improved my solve rates and speed. What’s also interesting is what is written at the top of Figure 8. It appears 2Captcha recruits human CAPTCHA solvers by claiming that solving CAPTCHAs is “helping them to quickly introduce and teach English. ” It’s not exactly clear what that means, but it appears to claim that solving CAPTCHAs all day long will help a non-English speaker learn English.
Figure 8. Detailed training for solvers provides examples and tips for solving traditional CAPTCHAs.
Figure 9 shows a similar example of the training for reCAPTCHA. Again, the instructions are a bit cryptic, but plenty of examples are provided for workers to become proficient.
Figure 9. Detailed training for solvers provides examples and tips for solving reCAPTCHAs.
The Work of CAPTCHA Solving
The actual work of solving CAPTCHAs is pretty tedious, as you might expect. In Figure 10, I’m solving a traditional CAPTCHA. Notice in this session, I had solved 22 CAPTCHAs and had earned only $US 0. 00665.
Figure 10. While solving a traditional CAPTCHA, the screen displays my current earnings and the number of CAPTCHAs solved.
As soon as I press Enter for this CAPTCHA, another CAPTCHA appears for me to solve, shown in Figure 11. Now I’ve solved 23 CAPTCHAs in this session, and I’ve earned $US 0. 00695.
Figure 11. My earnings for solving one additional CAPTCHA have increased by only $US 0. 00030.
As workers solve more CAPTCHAs and become more proficient, they receive tiny incremental pay raises. “Proficient” here is a reflection of shorter lag time between keystrokes; pay rate is not based solely on the total number of CAPTCHAs solved. Workers who are too slow or provide too many incorrect answers run the risk of being booted out of the system—even a shady clientele expects reliable service.
Getting Paid as a Solver
2Captcha’s going rate for solvers (as of April 2021) was $US 0. 30 per 1, 000 traditional CAPTCHAs and $US 1. 01 for 1, 000 Re-CAPTCHAs (see Figure 12). At these rates, solvers working 11 hours a day non-stop—which is entirely unrealistic—would make only $1. 20/day for traditional CAPTCHAs. For reCAPTCHAs, which take roughly twice as long to solve, solvers would still make only $2. 02 working an 11-hour day.
Figure 12. Workers solving CAPTCHAs make a small fraction (4% for traditional; 3. 4% for reCAPTCHAs) of what 2Captcha charges its customers.
Solvers have a wide range of choices for receiving payment from 2Captcha (see Figure 13). Notice the minimum withdrawal amounts vary by payment service.
Figure 13. CAPTCHA solvers can receive payment through a variety of online payment service.
2Captcha Doesn’t Skimp on Support
Perhaps surprisingly, shady services of many kinds are often known for providing excellent customer support. 2Captcha is no exception. In addition to the user-friendly interface and the abundance of training materials, 2Captcha provides extensive support pages and FAQs (see Figure 14) for both workers and customers. Some solver companies even provide telephone support.
Figure 14. Example of 2Captcha’s FAQ page for workers. A similar page is available for “customers. ”
2Captcha customers get their own set of instructions and FAQ pages. The example shown in Figure 15 provides a detailed description of Google’s most recent version of CAPTCHA, reCAPTCHA Enterprise, and instructions for how to use 2captcha to beat it.
Figure 15. A support page with detailed description of Google’s latest version of CAPTCHA, reCAPTCHA Enterprise
Conclusion
So, that is what the job of a CAPTCHA solver is like—and sadly, it’s a real source of income for many people around the world. Solver services like this one are convenient and widely used by attackers. As a result, CAPTCHAs are only a speed bump for motivated attackers while introducing considerable friction for legitimate customers. Despite this, many companies still rely on them, and some subject their customers to a CAPTCHA for every significant interaction. Cybercriminals and the parallel economies which cater to them are always innovating and evolving past defenses, and versions of CAPTCHA have been with us now for nearly two decades, frustrating legitimate users without providing meaningful barriers to the bots that have adapted to overcome them.
What to Do When CAPTCHAs Won't Work - LiveAbout

What to Do When CAPTCHAs Won’t Work – LiveAbout

How to Deal With Invalid CAPTCHA Codes
CAPTCHAs are distorted letters and numbers that aim to block bots and scripts from submitting forms online. This is a benefit for real people who want to enter sweepstakes, because it helps prevent cheaters from entering.
However, bots become more adept at deciphering CAPTCHAs over time, which means programmers have to make CAPTCHAs increasingly difficult to read. And that can make entering a form frustrating for real humans as well.
Luckily, there are some strategies that can help. Try these tips if you can’t get a CAPTCHA code to work.
If at First You Don’t Succeed, Load, Load Again
Frustrated by CAPTCHAs? Here Are Some Strategies to Try.
Hero Images/Getty Images
If your CAPTCHA isn’t being accepted, the problem might not be with your reading or your typing, the code may simply have expired. If you didn’t submit your entry form right away, your CAPTCHA might be invalid.
For example, a strategy to enter sweepstakes faster is to open several entry forms at the same time, fill them out, and submit them one after another. But when you do this, it can take a while to actually fill out the entry form.
Many CAPTCHAs have an anti-hacking feature that causes them to expire after a few minutes. This prevents hackers from, say, sending the CAPTCHA image to a CAPTCHA mill service, where low-wage workers crack the code and send it back to a hacker.
To see if this is the problem, try reloading the page to get a new code, then fill out and submit the form right away.
Llamas, Iguanas, and the Number 1
Depending on the font a CAPTCHA uses, a lower-case “l” as in “llama” can look exactly the same as an uppercase “I” as in “Iguana”, or even the number “1. ” Confusion between these three characters could be the reason why you can’t get the CAPTCHA to work properly.
If your CAPTCHA won’t submit, check for these symbols. If it contains one of them, try the other possibilities.
O, Those Zeros
It can be very difficult to tell the difference between an uppercase letter “O” as in “Ocean” and the numeral “0” or zero. This is especially true when the CAPTCHA has distorted the characters.
If you’ve been trying the letter O or the number zero and the CAPTCHA won’t go through, try the other option.
Forget 2, 4 the Problem’s 6 and 8
The numbers “6” and “8” are clearly different, right? Well, they are until CAPTCHAs put squiggly lines behind them to confuse automatic image readers. One of those squiggles could easily make it hard to tell the difference between the two numerals.
Squiggles can confuse many other characters as well. Depending on placement and font, a “c” can look like an “o, ” an “o” look like an “a, ” and other characters can be hard to distinguish.
If your CAPTCHA is being rejected, take a close look to make sure that your eyes aren’t being thrown off by background graphics.
A Case of the Wrong Case
Some CAPTCHAs don’t care if the letters you enter are upper or lowercase, but others are case-sensitive. That means that your shift key might be the reason why your CAPTCHA isn’t going through.
If the CAPTCHA shows both upper and lowercase letters, be sure to enter your characters exactly as displayed. If all of the letters have the same case, you might be able to enter it either way, but if your entry is refused, try typing it exactly as it’s shown.
When Case Sensitivity Is Too Sensitive
Of course, case-sensitive captchas open the door for even more confusing letters. For example, an uppercase “O” can look a lot like a lowercase “o” when letters are different sizes, and the same with “C” and “c. ”
If your CAPTCHA is being stubborn, try changing the case of letters that look the same in upper- and lower-case to see if it helps.
When the Eyes Don’t Have It
One of the drawbacks of CAPTCHAs is that they are difficult for people with visual impairments to use. To get around this problem, some sweepstakes offer an audio version of their captchas.
If this is an option, try listening to a hard-to-enter code. Look for a small speaker symbol near the CAPTCHA to turn on audio mode. It’s often easier to hear the code than to read it.
Use a CAPTCHA Solver
Some companies offer software to solve the problem of difficult CAPTCHAs. If you are getting too frustrated with trying to solve them yourself, try an extension. For some suggestions, check out 4 Extensions to Auto Solve and Bypass CAPTCHA.
There’s No Shame in Admitting Defeat
If you’re still having trouble with a CAPTCHA, you don’t have to let it drive you crazy. Instead, try reloading it to get a different code that might be easier to decipher.
You can usually do this by reloading the page in your browser. Some entry forms also offer the option to click on the code or press a reload button to get an easier-to-read captcha.
Don’t Get Frustrated!
When you enter sweepstakes, annoying CAPTCHAs are just one of the frustrations you might face. Remember, being a winner is a marathon, not a sprint. Be patient and persistent and the prizes will come!
How to bypass CAPTCHAs easily using Python and other methods

How to bypass CAPTCHAs easily using Python and other methods

Internet service providers generally face the risk of authentication-related attacks, spam, Denial-of-Service attacks, and data mining bots. Completely Automated Public Turing test, to tell Computers and Humans apart, popularly known as CAPTCHA, is a challenge-response test created to selectively restrict access to computer systems. As a type of Human Interaction Proof, or a human authentication mechanism, CAPTCHA generates challenges to identify users. In essence, a CAPTCHA test can tell machines/ computers and humans apart. This has caused a heightened adoption of CAPTCHAs across various online businesses and services.
The concept of CAPTCHA depends on human sensory and cognitive skills. These skills enable humans to read a distorted text image or choose specific images from several different images. Generally, computers and computer programs such as bots are not capable of interpreting a CAPTCHA as they generate distorted images with text or numbers, which most Optical Character Recognition (OCR) technologies fail to make sense of. However, with the help of Artificial Intelligence, algorithms are getting smarter and bots are now capable of cracking these tests. For instance, there are bots that are capable of solving a text CAPTCHA through letter segmentation mechanisms. That said, there aren’t a lot of automated CAPTCHA solving algorithms available.
This article outlines the various methods of generating and verifying CAPTCHAs, their application, and multiple ways to bypass CAPTCHAs.
Reasons for using CAPTCHA
Web developers deploy CAPTCHAs on websites to ensure that they are protected against bots. CAPTCHAs are generally used to prevent:
Bots from registering for services such as free email.
Scraper bots from gathering your credentials or personal information, upon logging in or while making online payments.
Bots from submitting online responses.
Brute-force bot attacks.
Search engine bots from indexing pages with personal/ sensitive information.
General flow of CAPTCHA generation and verification
The image below represents the common method of generating and verifying CAPTCHAs:
Application of different types of CAPTCHA and how to bypass them
I. reCAPTCHA and the protection of websites
Google reCAPTCHA is a free service offered to prevent spam and abuse of websites. It uses advanced risk analysis techniques and allows only valid users to proceed.
Process flow diagram of Google reCAPTCHA
How to bypass reCAPTCHA?
Verification using browser extensions
Browser extensions such as Buster help solve CAPTCHA verification challenges. Buster, for instance, uses speech recognition software to bypass reCAPTCHA audio challenges. reCAPTCHA allows users to download audio files. Once it is downloaded, Google’s own Speech Recognition API can be used to solve the audio challenge.
CAPTCHA solving services
Online CAPTCHA solving services offer human based services. Such services involve actual human beings hired to solve CAPTCHAs.
II. Real person CAPTCHA and automated form submissions
The jQuery real person CAPTCHA plugin prevents automated form submissions by bots. These plugins offer text-based CAPTCHAs in a dotted font. This solves the problem of fake form submissions.
How to bypass real person CAPTCHA?
The following steps can be used to solve real person CAPTCHAs:
A. Create data set
In this one-time process:
Collect texts from real person HTML tags
Group the texts based on the words
Create data set model for A-Z words (training data)
B. Testing to predict the solutions
After successfully completing process A, set up a process to:
Fetch the word from the data set model created in process A.
Example:
from selenium import webdriver
import time
dataset = {‘ * * * * * ******* ‘: ‘J’,
‘******* * * * * * *’: ‘L’,
‘******** * ** * ** * ** * ** * * ** ** ‘: ‘B’,
‘* * * **** * * * ‘: ‘Y’,
‘* * * ******** * * ‘: ‘T’,
‘ ***** * ** ** ** ** * * * ‘: ‘C’,
‘******** * ** * ** * ** ** ** *’: ‘E’,
‘******** ** ** ** ** * ***** ‘: ‘D’,
‘* ** ** ********* ** ** *’: ‘I’,
‘ ***** * ** ** ** ** * ***** ‘: ‘O’,
‘******* * * * * * *******’: ‘M’,
‘******* * * * * * *******’: ‘N’,
‘******** * * * * * * * * ‘: ‘F’,
‘ ** * * * ** * ** * ** * ** * * * ** ‘: ‘S’,
‘ ***** * ** ** ** * ** * **** *’: ‘Q’,
‘******* * * * * * * * * * * *’: ‘K’,
‘ ** ** ** * * * ** * ** **’: ‘A’,
‘****** * * * * ******* ‘: ‘U’,
‘******* * * * * * *******’: ‘H’,
‘** ** ** * ** ** ** ‘: ‘V’,
‘* ** *** * ** * ** * *** ** *’: ‘Z’,
‘******** * * * * * * * * * ** ‘: ‘P’,
‘* * * * * * * * * * * * *’: ‘X’,
‘ ***** * ** ** ** * ** * * * ** ‘: ‘G’,
‘******** * * * * * * ** * * * ** *’: ‘R’,
‘******* * * * * * *******’: ‘W’}
def group_captcha_string(word_pos):
captcha_string = ”
for i in range(len(word_pos[0])):
temp_list = []
temp_string = ”
for j in range(len(word_pos)):
val = word_pos[j][i]
temp_string += val
if ():
(val)
if temp_list:
captcha_string += temp_string
else:
captcha_string += ‘sp’
return (“spsp”)
# create client
client = ()
(“)
(3)
# indexing text
_get = lambda _in: {index: val for index, val in enumerate(_in)}
# get text from html tag
captcha = nd_element_by_css_selector(‘form [class=”realperson-text”]’)(‘n’)
word_pos = list(map(_get, captcha))
# group text
text = group_captcha_string(word_pos)
# get text(test)
captcha_text = ”(list(map(lambda x: dataset[x] if x else ”, text)))
print(“captcha:”, captcha_text)
III. Text-in-image CAPTCHA
Text-based/ text-in-image CAPTCHAs are the most commonly deployed kind and they use distorted text rendered in an image. There are two types of text-based CAPTCHAs:
Simple CAPTCHA
Simple CAPTCHAs can be bypassed using the Optical Character Recognition (OCR) technology that recognizes the text inside images, such as scanned documents and photographs. This technology converts images containing written text into machine-readable text data.
import pytesseract
import sys
import argparse
try:
import Image
except ImportError:
from PIL import Image
from subprocess import check_output
def resolve(path):
print(“Resampling the Image”)
check_output([‘convert’, path, ‘-resample’, ‘600’, path])
return age_to_string((path))
if __name__==”__main__”:
argparser = gumentParser()
d_argument(‘path’, help = ‘Captcha file path’)
args = rse_args()
path =
print(‘Resolving Captcha’)
captcha_text = resolve(path)
print(‘Extracted Text’, captcha_text)
# command to run script
python3
Complicated CAPTCHA
These text-in-image CAPTCHAs are too complex to be solved using the OCR technology. Instead the following measures can be considered:
Build machine learning models such as Convolutional Neural Network (CNN) or Recurrent Neural Network (RNN)
Resort to CAPTCHA solving services
IV. Sum of integers or logical operations
This unique challenge involves solving mathematical problems, particularly, finding the sum of integers.
To bypass this challenge, one can:
Extract text from HTML tags or images
Identify the operator
Perform the logic
Get the result
V. Mitigating DDoS attacks using CAPTCHAs
In distributed denial-of-service attacks, cyber criminals target network resources and render them inaccessible to users. These attacks temporarily or indefinitely slows down the target resource by flooding the target with incoming traffic from several hosts. To prevent such attacks, businesses use CAPTCHAs.
The following methods or programs can be used to bypass DDoS protected sites:
JavaScript supported browsers (Chrome/ Firefox)
Deriving logic to generate DDoS answers
Fetch the DDoS problem on the site and execute it using
Senior Software Engineer
He is a Senior Software Engineer working as a part of the Data Acquisition team at CloudSEK. In his role, he is responsible for writing reusable codes and scalable web crawlers for XVigil. In his spare time, Sellamani loves to take on new challenges and find solutions to real-time problems.
Cyber Intelligence Editor,
CloudSEK
Total Posts: 2
She is a Cyber Intelligence Editor at CloudSEK. A lawyer by training and a content writer by choice, she prefers to write on matters concerning current affairs, security, and human frailty.

Frequently Asked Questions about unsolvable captcha

Why do I keep failing CAPTCHA?

If your CAPTCHA isn’t being accepted, the problem might not be with your reading or your typing, the code may simply have expired. If you didn’t submit your entry form right away, your CAPTCHA might be invalid.May 30, 2021

Can CAPTCHA be bypassed?

Simple CAPTCHAs can be bypassed using the Optical Character Recognition (OCR) technology that recognizes the text inside images, such as scanned documents and photographs. This technology converts images containing written text into machine-readable text data.

How do I fix the CAPTCHA image problem?

We recommend you first delete your browser cookies and try registering again. If the problem persists, we recommend you upgrade your browser to the latest version or change the browser. We recommend Mozilla Firefox.

About the author

proxyreview

If you 're a SEO / IM geek like us then you'll love our updates and our website. Follow us for the latest news in the world of web automation tools & proxy servers!

By proxyreview

Recent Posts

Useful Tools