Is your site protected by CATCHAS? WAF, CloudFlair or something else? Do you think it's safe? Well think again.

During a recent hunt for malicious traffic crawling my most public customer I managed to find a variety of tutorials and services that offered ways around CAPTCHA.

In reality they farm the CAPTCHA solving out to server farms in emerging economies full of people working for pennies per hour that just solve captchas. Then record the screen data and mouse movements to use as training data for an AI model that will replace the workers.

I am NOT going to link to those sites here as I am not supporting that activity and I would possibly get flagged as malicious myself just for linking to them but they are not hard to find.

If you really want to know, DM me and I will send you their way.

It makes you wonder how many times Amazon Mechanical Turk has been used to bypass AWS WAF’s own captchas.