Rise of the Spambots: 3 APIs For Beating CAPTCHAs

Garrett Wilkin, October 17th, 2012

Death By CAPTCHAThe Death By CAPTCHA API is one of three CAPTCHA beating APIs posted to our index in just the last week.  After taking a look at them I can say that they are just as seedy and sketchy as you would imagine.  Even so, I don’t see these services going away anytime soon.  The existence of super cheap CAPTCHA beating systems begs the question, how effective is the visual CAPTCHA today?

Death By CAPTCHALet’s take a look at a few examples.  The enticingly named Death By CAPTCHA service promotes it’s super low price of $1.39 for 1000 solved CAPTCHAs.  Pretty reasonable, and it wastes no time in suggesting to potential API users how they might employ third world workers to create spam bots, saying “if you don’t have the required programming skills to extract, store and send us the CAPTCHA, we recommend you to hire an overseas freelance programmer to help you in this task.”

AntigateAntigate, sets the cost of doing business at a premium, coming in at a $7.00 per 1,000 solved CAPTCHA price point.  The good news for socially minded API consumers is that this API is all human powered.  Actually I guess that point is a little murky isn’t it?  It is better or worse to be employing humans in such a task?  Leave your opinion in the comments!

Bypass CAPTCHAI’ve saved the best for last, because it’s Bypass CAPTCHA who stands out from this crowd.  This service displays a bit of business acumen by promoting an API business strategy for profit sharing with partners. That’s forward thinking even among today’s leading technology companies and I have to give credit where it is due.  Sure, the delivery of this proposal could be a bit more polished, but this is a spam bot service afterall.  In their own words, “I can understand that it is not easy these days to sell more copies of your softwares and earn more cashes.”

The best news yet, is that there’s a service called Are You A Human? which offers a great alternative to image CAPTCHAs.  With their “play thru” technology, users are presented with simple games to play to demonstrate their humanity.  And thus the CAPTCHA turing test arms race continues.

There are at least 15 different CAPTCHA APIs in our index.  Why not hook up a CAPTCHA creation service to one of the decoding services and have a little fun?

Both comments and pings are currently closed.

7 Responses to “Rise of the Spambots: 3 APIs For Beating CAPTCHAs”

October 17th, 2012
at 4:49 pm
Comment by: david rosen

Areyouahuman is not a security company. The system was instantly hacked and here is proof: http://spamtech.co.uk/software/bots/cracking-the-areyouhuman-captcha/

October 17th, 2012
at 5:13 pm
Comment by: Garrett Wilkin

David, that is an awesome comment! Thanks for sharing the hack of the “Are You A Human?” games. Apparently we are already past that next step of being able to crack the game, but no one has yet made it available as a paid API service. I wonder how long that will take.

October 18th, 2012
at 5:56 am
Comment by: KylieMolina

Developer support is available in the form of the Windows SDK, providing documentation and tools necessary to build software based upon the Windows API and associated Windows interfaces.

October 18th, 2012
at 8:05 am
Comment by: Max from Are You a Human

Hi all,

Max from Are You a Human here. I just want to point out that the hack David points to is from May. That hack no longer gets past us.

We don’t just look for our games to be played correctly; we also look at details such as mouse movements to track *how* the game is played. Thus, bots can play our games correctly and still be detected as bots. You can read more about this on our blog: http://areyouahuman.com/how-playthru-stops-the-bots/

Still, Garrett’s right that it’s an ongoing battle: as verification systems improve, so do bots, and there will never be a flawless system. At Are You a Human, we’re working constantly to improve our security without throwing usability out the window.

David, to our knowledge there are no bots that are currently able to pass our games. If we’re mistaken, please let us know.

Thanks for taking the time to check us out!

Max
max@areyouahuman.com
(313) 312-5537

October 19th, 2012
at 9:03 am
Comment by: Alicia

I agree that a lot of these programs can seem a little seedy but they are also used for good things in some circumstances! I work for the visually impaired and we use a piece of software called rumola (which is human based) at work to help our service users browse the internet independently with the help of screen reading software. It seems to be a quality product and we haven’t seen it fail a CAPTCHA yet!

October 19th, 2012
at 10:22 am
Comment by: Garrett Wilkin

Alicia, I considered that angle as I was writing the story. However, I felt that the motivation to help those with visual and or auditory impairments was not the prime motivation of these services. They seemed to be geared toward spam rather than increasing accessibility to users. I did not want to grant them a noble purpose which they did not seem to be pursuing. I’d love to hear more about your work for the visually impaired. Maybe there’s an opportunity to profile APIs that increasing the accessibility of the web.

November 2nd, 2012
at 5:01 am
Comment by: Stephanie Millman

Max, I know you guys have good intentions, but security is serious stuff. I love that you guys are making an effort, but outsourcing core development on Elance isn’t very confidence inspiring! https://www.elance.com/j/captcha-architecture-development/22854308/

Follow the PW team on Twitter

ProgrammableWeb
APIs, mashups and code. Because the world's your programmable oyster.

John Musser
Founder, ProgrammableWeb

Adam DuVander
Executive Editor, ProgrammableWeb. Author, Map Scripting 101. Lover, APIs.