Trend Micro analysts talked about several services that offer CAPTCHA solving services for cybercriminals. According to the researchers, often these services do not use advanced character recognition and machine learning methods, instead CAPTCHAs are simply solved by real people.
Let me remind you that we also wrote that CAPTCHA in Discord Asks Users to Find Non-Existent Objects Created by AI, and also that GPT-4 Tricked a Person into Solving a CAPTCHA for Them by Pretending to Be Visually Impaired.
Advertisement for one of the services
Such services work by delegating customer requests to their CAPTCHA solvers and then sending the results back to users. This is implemented through an API to send a CAPTCHA and a second API to get the results.
In addition, it has been observed that attackers buy CAPTCHA cracking services and combine them with various proxyware to hide the original IP address and bypass anti-bot filters. For example, in one case, a CAPTCHA cracking service was targeted at the popular marketplace Poshmark, and requests for tasks coming from the bot were sent through a proxyware network.
Resources CAPTCHA solving services most often attack
As a result, Trend Micro recommends that administrators complement CAPTCHA and IP blocking with other protections against attacks and abuse.
By the way, the media write: CAPTCHA is Becoming Obsolete. What Will Take Its Place?