DFIR Stream 0xE 

"Identifying Fraudulent CAPTCHA Solvers Using Network Propagation Analysis" 

by Martynas Buožis and Umberto Fontana, Amadeus IT Group /Telecom SudParis.

Abstract: CAPTCHA Farms have become essential tools for malicious actors to circumvent bot protection mechanisms, facilitating fraud such as inventory denial and SMS pumping. These services use proxies to replicate the IP address and fingerprint of the bot client, evading detection through conventional application-layer analyses. Additionally, the CAPTCHA solving times achieved by these farms are indistinguishable from those of legitimate users, posing a significant challenge to current detection methods.

We propose a novel approach to detect the use of CAPTCHA Farms by leveraging network measurements. Our method analyzes the propagation times of the site key and CAPTCHA token exchanged between the client, the CAPTCHA provider, and the server. By examining these timings and correlating them with the physical distances suggested by the client’s IP address and the known locations of the other two parties, we aim to statistically infer the plausibility of the observed delays.

We present preliminary results from our ongoing experiments and the development of our statistical testing methodology. Our focus is on gathering feedback from the community regarding our approach, its practical applicability, and potential implementation challenges.

About the Speakers

Martynas Buožis is an Information Security Architect in the Global Security Operations of Amadeus Data Processing GmbH in Germany. Martynas has long-term experience in information technologies, and his involvement in information security started by establishing the first Lithuanian CERT in 1998, the LITNET CERT. Since then, Martynas has rotated via different companies and projects, providing excellent knowledge about designing high-quality security solutions.

Umberto Fontana holds a Master’s degree in Data Science and Engineering from Politecnico di Torino, achieved through a double degree program with Eurecom. Currently, Umberto is pursuing a PhD CIFRE at Telecom SudParis and Amadeus IT Group, focusing on detecting bots on web applications using explainable AI. He has also completed an internship in the Fraud Detection Department at Amadeus IT Group, where he honed his skills in combating online fraud. 

Date and Time: Tuesday, March 25,⋅2:00 – 3:00 pm (GMT+00:00) United Kingdom Time

Location:  Online (Pre-Registration is Required to Obtain the Meeting Link)

Event Registration Link:  https://forms.gle/7XJrLWM95EWEUis57 

Online Registration Ends March 23 at 04:00 PM (GMT+00:00) United Kingdom Time

Recording