Google this week has rolled out its latest version of the reCAPTCHA mechanism, which is meant to weed out spam and abuse by robots on websites. It marks a dramatic departure from previous reCAPTCHA efforts by eliminating the need for visitors to take any extra steps in order to log onto a website or proceed past a homepage.
Old-school reCAPTCHA, circa 2013.
CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and Humans Apart,” and reCAPTCHA is Google’s proprietary version. Old-school reCAPTCHAs consisted of distorted text ciphers and picture-matching puzzles that website visitors were asked to solve in order to prove they’re human. This was often challenging for real humans, especially those with sight impairments, so Google has evolved the reCAPTCHA mechanism over the last four years or so. Now it simply asks site visitors to check a box that says, “I’m not a robot.”
reCAPTCHA v3 aims to further reduce user-experience “friction” when visiting sites, by using behavioral analysis to return a score for each visitor that determines how suspicious an interaction is. Websites can then use this to make a decision about whether or not to allow the visitor to continue onto the site without a challenge.
Click to enlarge.
“We are fundamentally changing how sites can test for human vs. bot activities, by returning a score…and eliminating the need to interrupt users with challenges at all,” said Wei Liu, Google’s product manager for reCAPTCHA, in a blog on Monday. “reCAPTCHA v3 runs adaptive risk analysis in the background to alert you of suspicious traffic while letting your human users enjoy a frictionless experience on your site.”
Liu didn’t elaborate on what actions reCAPTCHA would consider suspicious – presumably things such as the character of mouse movements or the speed of clicking behavior. In the past, Google has also examined IP addresses and cookies to match the user with other interactions elsewhere on the web – the longer the history, the more likely the user is to be a real person. Threatpost reached out to Google and will update this post with any further insight.
Google noted that websites can use the score in three potential ways. The easiest is to simply set an automatic threshold that determines when a user is let through. If a visitor falls below the threshold, further verification can be implemented, such as two-factor authentication or phone verification. Multiple thresholds also can be set in order to customize the actions that occur for different types of traffic.
Websites can also integrate reCAPTCHA v3 into their own code. For instance, they can combine the score with information from user profiles or transaction histories to make a decision. Or, they could use the reCAPTCHA score as one of the signals to train a machine learning model to fight abuse.
A further feature in reCAPTCHA v3 is called “Action.” By implementing reCAPTCHA v3 on multiple website pages, the risk analysis can run in the context of how a user behaves across the site.
“In this way, the reCAPTCHA adaptive risk analysis engine can identify the pattern of attackers more accurately by looking at the activities across different pages on your website,” Liu said.
The change also helps thwart cybercriminals who are increasingly looking to find ways to defeat reCAPTCHA through artificial intelligence. It’s one thing for an AI to be able to decipher distorted text – it’s another to mimic real human surfing behavior, especially over multiple pages.
Google’s announcement is also timely. Given that CAPTCHA is a vital tool for fending off automated web scraping, DDoS attacks, fraudulent event ticket purchases and more, bypassing it is always a topic of interest on the underground; but Flashpoint analysts said this past week that they’ve observed an uptick in discussions around CAPTCHA bypass among threat actors on English-language Dark Web sites.
On one entry-level, English-language, black-hat search engine optimization (SEO) forum, researchers saw someone ask about the efficacy of fooling CAPTCHAs by using Python and Selenium scripts.
“Members responded with varying advice and suggested tactics,” the team noted in a posting last week. “Common recommendations shared among threat actors included the use of various open-source and legitimate CAPTCHA bypass services, most of which are designed to aid individuals who are visually impaired or have dyslexia.”
Analysts also observed advertisements for two illicit tools to carry out the bypass.
“The first tool appears to be a stolen copy of a social-media marketing software that automates adding friends, while the second is a type of SEO software frequently abused by threat actors in order to spam internet forums and comments sections,” researchers said. “The second tool claims to be able to “decode” more than 400 types of CAPTCHA in its default form, and can purportedly decode even more types with the use of a separately sold plugin.”
