Possible Google Recaptcha exploit used by scam sites to drain legit faucets

[johnjacksonbtc]

I want to report this triplet of websites that looks one level more suspicious than usual SCAM sites - freecoinmonster.com, satoshihere.com, satoshisatoshi.com. Possible scheme follows - user claims enormous amounts of satoshis just for solving Google Captcha more than few times per minutes and per user. At the beginning of scam testing I was unable to figure how they can earn money with this scam. Google Captcha's sometimes randomly appears with messages - session expires or invalid API. I came to conclusion that these captchas are coming from different sites to bypass antibot systems that depends only on Google Captcha. So whether is this possible (google captcha iframe data retrieving from other sites) or not I strongly recommend faucet owners to make their antibot systems unique to solve this possible nasty issue. I have studied lot of bitcoin faucets and considerable part sits only on Google Captcha, you may check up my site for faucet list.

Happy non-bot earnings from bitcoin faucets,
John Jackson

[1715126388]

1715126388

[1715126388]

1715126388

[Fortify]

Most varieties of captchas are vulnerable to automatic analysis. The highest end captchas are usually defeated in the way you describe - human viewers entering the captcha that is then submitting a form elsewhere. It might be creating thousands of accounts at places like yahoo and some blackhat people make a lot of money with this sort of automation hacking. Anyone who is giving away money via things like a faucet will always be a target for attacks

[Racey]

I want to report this triplet of websites that looks one level more suspicious than usual SCAM sites - freecoinmonster.com, satoshihere.com, satoshisatoshi.com. Possible scheme follows - user claims enormous amounts of satoshis just for solving Google Captcha more than few times per minutes and per user. At the beginning of scam testing I was unable to figure how they can earn money with this scam. Google Captcha's sometimes randomly appears with messages - session expires or invalid API. I came to conclusion that these captchas are coming from different sites to bypass antibot systems that depends only on Google Captcha. So whether is this possible (google captcha iframe data retrieving from other sites) or not I strongly recommend faucet owners to make their antibot systems unique to solve this possible nasty issue. I have studied lot of bitcoin faucets and considerable part sits only on Google Captcha, you may check up my site for faucet list.

Happy non-bot earnings from bitcoin faucets,
John Jackson

Good catch, I guess you could iframe the captcha, it is there if you inspect element in your browser.

[johnjacksonbtc]

I want to report this triplet of websites that looks one level more suspicious than usual SCAM sites - freecoinmonster.com, satoshihere.com, satoshisatoshi.com. Possible scheme follows - user claims enormous amounts of satoshis just for solving Google Captcha more than few times per minutes and per user. At the beginning of scam testing I was unable to figure how they can earn money with this scam. Google Captcha's sometimes randomly appears with messages - session expires or invalid API. I came to conclusion that these captchas are coming from different sites to bypass antibot systems that depends only on Google Captcha. So whether is this possible (google captcha iframe data retrieving from other sites) or not I strongly recommend faucet owners to make their antibot systems unique to solve this possible nasty issue. I have studied lot of bitcoin faucets and considerable part sits only on Google Captcha, you may check up my site for faucet list.

Happy non-bot earnings from bitcoin faucets,
John Jackson

Good catch, I guess you could iframe the captcha, it is there if you inspect element in your browser.

Their captcha's structurally does not differs in structure, usual google captcha iframe. The point is that google does not knows for which endpoint (IP address) captcha must be applied, most likely because faucet server does not tells google - please use this captcha for user with ip adress 12.34.56.78.

[jackg]

The tripplet of sites in the OP, does anyone know if they are legit.

What you are saying, could tey be using this as a way of solving vaptchas on other faucet sites for their own personal gain.

I.E. A site of satoshisatoshi, could be using another site to gain earnings from with the users getting a certain payment from this.

Specific to satoshisatoshi: the links at the top of the pages are refferral links, not links for a partnetship site.

[Sweetasdad]

HAS TO BE THE BIGGEST "SCUM WITH A SCAM!. 100% +...Google Recaptcha, and sites that use it allow it, so BOTH are "SCUM WITH A SCAM!."