The Evolution of Bots Forging CAPTCHAs, a Firsthand Report – Security Boulevard

As of August 2022, DataDomes CAPTCHA has been used in production for several weeks with ~30 customers, including mostly e-commerce websites and mobile applications. Lets explore what we observed in the weeks following the deployment of our CAPTCHA on highly-targeted websites and mobile applications.

Each time we switched a customer to our CAPTCHA, we observed a significant drop in CAPTCHA-passing attempts coming from bots.It makes sense, given that bot developers need to update their bots (update the CSS selectors, etc.) to properly interact with our new CAPTCHA. However, we notice the decrease remains stable even after a month.

Malicious CAPTCHA forging attempts over time: We observe a significant drop following the activation of the DataDome CAPTCHA.

Our hypothesis, based on the data we collect, is that a majority of bot developers rely on popular open source projects/off-the-shelf tools (CAPTCHA farms) to forge CAPTCHAs. Thus, as long as the easily available tools dont offer any options to solve the DataDome CAPTCHA, we expect the number of malicious CAPTCHA passing attempts will remain lower than before.

It took between 6 hours to ~2 weeks, depending on the website and mobile application.

The fastest attempt to forge the CAPTCHA (6h after implementation) happened on a popular e-commerce platform heavily targeted by distributed scrapers. Six hours after switching to the new CAPTCHA, we detected bots trying to submit CAPTCHA challenges, though they were blocked for several reasons (such as inconsistent browser fingerprints linked to instrumentation frameworks and other bad behaviors). Thats how fast attackers will adapt to try to obtain data.

The good news is, since DataDomes primary purpose is to protect websites and mobile apps against fraudulent traffic, were used to continuously finding new bot signals and improving our ML models to stay ahead of bots. Weve been doing it for years to improve our real-time detection engine, and now it will also continue to strengthen our CAPTCHA.

Audio API: First, we observed evidence of a known issueaccessibility vs. security. We know that audio CAPTCHAs are often more exploited than their image-based counterparts, which was also evident with our CAPTCHA. However, with behavioral and fingerprinting signals, we can still invalidate a forged CAPTCHA, even when the response to the challenge is correct.

Non-Modified Puppeteer: Puppeteer is a popular automation framework to instrument (headless) Chrome. Its no surprise that we encounter it frequently among bots that try to forge our CAPTCHA. Bots use standard APIs provided by Puppeteer to mimic fake mouse movements and clicks. However, the behavior deviates from legitimate users, whichcombined with fingerprinting signalsallows us to invalidate CAPTCHAs passed by Puppeteer.

Puppeteer Extra Stealth: Puppeteer extra stealth is a popular bot automation framework that adds a layer of features on top of Puppeteer. Its API is compatible with Puppeteer, but includes features to spoof your fingerprint and simple integrations with CAPTCHA farm APIs, such as 2Captcha. The stealth plugin is popular among bot developers and bots as a service (BaaS).

Similarly to Puppeteer, our CAPTCHA collects behavioral and fingerprinting signals that enable us to invalidate CAPTCHAs passed by Puppeteer extra stealth bots, even if they submit a CAPTCHA with a valid response.

Users With 2Captcha Extension: Our CAPTCHA client-side JavaScript code has also detected the presence of instrumented browsers that use the 2Captcha auto solver browser extension. However, it doesnt help bots because 2Captcha doesnt support any integration for our CAPTCHA. It only makes it easier for us to invalidate forged CAPTCHAs.

So far, we dont see a significant volume of Selenium-based bots attempting to forge the DataDome CAPTCHA.

The graph below shows the evolution of bot forging attempts on DataDomes CAPTCHA. We see that bots try to adapt more and more over time as we protect more websites and mobile applications with DataDomes CAPTCHA.

In total, the graph shows more than 1.37M malicious CAPTCHA passing attempts stopped before the bots could go further.

Link:

The Evolution of Bots Forging CAPTCHAs, a Firsthand Report - Security Boulevard