In our recent 2021 Credential Stuffing Report, we talked about the prevalence of credential stuffing attacks and the bot technology that attackers use. In my past life as a law enforcement and intelligence officer, I was often surprised by the innovation and maturity of the "businesses" and services that cybercrime entrepreneurs develop. As head of the Shape Intelligence Center, I continue to watch our adversaries evolve, and I like to see for myself how common tools and services used against our customers operate, when I can. One key service that cybercriminals use is CAPTCHA bypass. This is what I found when I went to work for a CAPTCHA-solving click farm.
What are CAPTCHAs?
Before diving into the details, let’s take a moment to review what CAPTCHAs are and how they work. CAPTCHA is a backronym for Completely Automated Public Turing test to tell Computers and Humans Apart. CAPTCHAs were first implemented in the late 1990s1 as a rudimentary reverse Turing test to help websites filter out growing volumes of problematic bot traffic. CAPTCHAs come in many forms including those shown in Figures 1 and 2.

CAPTCHA Solvers
CAPTCHAs provided a good defense against automated attacks when they were first introduced nearly two decades ago, presenting an obstacle that the early generations of bots couldn’t easily overcome. However, as bots evolved and started solving CAPTCHAs, the CAPTCHAs started to get even more complex and difficult for humans to solve, such as the CAPTCHA shown in Figure 3.