Abusing Web Services Using Automated CAPTCHA-Breaking Services and Residential Proxies

Case study 1: Poshmark

Poshmark is a popular social commerce marketplace where users can buy and sell various fashion, home, and electronics items. It integrates the use of social media to promote social interaction with users, eventually driving users to buy from the platform.

Sellers who are proficient in promoting their Poshmark stores can expect to earn good money, which can range from a few hundred dollars to more than US$1,000 per month. Poshmark sellers, also known as “Poshers,” can use a plethora of tools to promote their storefronts to prospective shoppers. These tools automate a lot of promotional tasks in Poshmark, such as sharing storefronts, sharing listings, and reciprocating shares and follows. Notably, these automated bot activities trigger Poshmark’s antiabuse safeguards, which result in CAPTCHAs being presented.

One of the most notable features of these Poshmark bots is, of course, solving CAPTCHAs. These bots need to have CAPTCHA-breaking capabilities built-in, otherwise, their automated Poshmark promotional tasks would be quite limited. There are even websites that review the capabilities of the various Poshmark bots and rank them according to their feature sets.

Our observations show that there are numerous CAPTCHA-solving task requests to a known CAPTCHA-breaking service that are targeting CAPTCHAs from Poshmark’s website. From the data we’ve gathered, these CAPTCHA-solving requests originated from a known Poshmark bot.

What is more interesting is that these CAPTCHA-solving requests are routed via a proxyware network. In addition to breaking CAPTCHAs via automation, Poshmark bot operators also use proxyware utilities to further obfuscate their originating IPs — an additional step to help them evade antispam measures.

In this case, the abusers used “Poshmark Pro Tools,” an advertisement tool that Poshmark blocks. For a certain fee, this tool can be used to promote clothes, shoes, or accessories in users’ Poshmark timelines and increase the likelihood of Poshers bidding on them. To block such automated promotion tools, Poshmark uses reCAPTCHA to ensure that people, and not bots, are promoting their items. Poshmark Pro Tools uses the 2Captcha CAPTCHA-solving service to break reCAPTCHA and mask bot activity.

Read More HERE