PSA: Bots have figured out funcaptcha

BitcoinFuture99

member

Activity: 120

Merit: 10

Quote from: FunCaptcha_James on December 20, 2015, 05:45:36 PM

Hi everyone,

We appreciate everyone's diligence! The good news is that we're not seeing any traffic that would indicate a breach but we want to be sure. Can you please link me to the faucet which you believe is seeing enhanced bot traffic? This will allow us to confirm if there is or isn't bot activity.

Thanks,
James

I have better Idea for you FunCaptcha. FunCaptcha should introduce new feature that every user must be registered with Funcaptcha and to solve captcha user must login. And user account must be verified with phone verification. This might reduce allot of bot attacks, also funcaptcha can then watch suspicious location activity.

Bot Makers will have then allot of struggle to solve it. CaptchaSolver services introducing allot of new ways daily to solve any kind of captcha.
I had a bot attack and funcaptcha not worked during attack.

FaucetRank.com

hero member

Activity: 868

Merit: 500

The truth is 90-99% cheating/spams done by real humans not by bot .

ixus

sr. member

Activity: 336

Merit: 250

Looking at https://faucetbox.com/check/35iPaDcjQqViRkXXHnagGYoKGxvCpEmcZk
It's probably http://bitcodice.com/ . It has "4 factor" Funcaptcha and as I told is susceptible to a proxy scheme. But captcha, most probably, is solved by a real person, not a bot.

Racey

legendary

Activity: 1134

Merit: 1000

Soon, I have to go away.

Quote from: FaucetRank.com on December 19, 2015, 11:09:04 PM

Quote from: Gifted on December 19, 2015, 10:09:51 PM

Quote from: FaucetRank.com on December 19, 2015, 08:59:58 PM

That's why I said don't use faucet box script . Create a xapo faucet and force users to claim with only email . A xapo user need to create a verified xapo account in order to withdraw his fund if email doesn't have xapo account then claimed amount will be returned to you after 7days.

Not to put xapo down because i own one too, btc address works too.Xapo cashes them out on the btc address when it reaches 5500 and there is a way to change when they cash out through their api

That's why I said force users to enter only email and you can do it by simple coding.

Send me a phone to use Xapo Grin

You cannot penalize users with no moblie phone.

FunCaptcha_James

newbie

Activity: 7

Merit: 0

Hi everyone,

We appreciate everyone's diligence! The good news is that we're not seeing any traffic that would indicate a breach but we want to be sure. Can you please link me to the faucet which you believe is seeing enhanced bot traffic? This will allow us to confirm if there is or isn't bot activity.

Thanks,
James

monbux

legendary

Activity: 1736

Merit: 1029

Quote from: ixus on December 20, 2015, 01:48:59 AM

Thou OP don't shares his faucet link, my opinion is that it rather proxy scheme than the bot one. If you use two different type of captchas simultaneously and consequently it will reduce probability for bots. But, in the other hand, too complicated claiming procedure(especially with those "anti-bot" tricks ) will repel simple users.

Yeah, many might get annoyed and just leave your faucet and never come back. Why not just switch your captcha provider and see what happens?

lelouch90

full member

Activity: 224

Merit: 100

★777Coin.com★ Fun BTC Casino!

Bad news for faucet owners if your settings were the highest against bots.

ixus

sr. member

Activity: 336

Merit: 250

Thou OP don't shares his faucet link, my opinion is that it rather proxy scheme than the bot one. If you use two different type of captchas simultaneously and consequently it will reduce probability for bots. But, in the other hand, too complicated claiming procedure(especially with those "anti-bot" tricks ) will repel simple users.

FaucetRank.com

hero member

Activity: 868

Merit: 500

Quote from: Gifted on December 19, 2015, 10:09:51 PM

Quote from: FaucetRank.com on December 19, 2015, 08:59:58 PM

That's why I said don't use faucet box script . Create a xapo faucet and force users to claim with only email . A xapo user need to create a verified xapo account in order to withdraw his fund if email doesn't have xapo account then claimed amount will be returned to you after 7days.

Not to put xapo down because i own one too, btc address works too.Xapo cashes them out on the btc address when it reaches 5500 and there is a way to change when they cash out through their api

That's why I said force users to enter only email and you can do it by simple coding.

maokoto

hero member

Activity: 770

Merit: 500

✪ NEXCHANGE | BTC, LTC, ETH & DOGE ✪

Too bad, as a faucet user, I like funcaptcha. It is easy to complete and fast, and you do not make mistakes easy as with other faucets in which you have to type to complete.

Gifted

hero member

Activity: 504

Merit: 501

Quote from: FaucetRank.com on December 19, 2015, 08:59:58 PM

That's why I said don't use faucet box script . Create a xapo faucet and force users to claim with only email . A xapo user need to create a verified xapo account in order to withdraw his fund if email doesn't have xapo account then claimed amount will be returned to you after 7days.

Not to put xapo down because i own one too, btc address works too.Xapo cashes them out on the btc address when it reaches 5500 and there is a way to change when they cash out through their api

Funny

sr. member

Activity: 343

Merit: 250

Bonus Claim Url: http://betonline.wager.bz

Quote from: FaucetRank.com on December 19, 2015, 08:59:58 PM

That's why I said don't use faucet box script . Create a xapo faucet and force users to claim with only email . A xapo user need to create a verified xapo account in order to withdraw his fund if email doesn't have xapo account then claimed amount will be returned to you after 7days.

Wow.. I never knew that was the case.

I'm might develop my own faucet, now that I see that's the case I'll definitely stick with Xapo if I do open a faucet.

FaucetRank.com

hero member

Activity: 868

Merit: 500

Quote from: coinableS on December 19, 2015, 12:29:07 PM

My faucet was emptied in about an hour from a bot. Funcaptcha has been great against bots, but doesn't look like anymore.

The culprit referrer: 35iPaDcjQqViRkXXHnagGYoKGxvCpEmcZk

As I know your captcha wasn't set to advance security .

FaucetRank.com

hero member

Activity: 868

Merit: 500

That's why I said don't use faucet box script . Create a xapo faucet and force users to claim with only email . A xapo user need to create a verified xapo account in order to withdraw his fund if email doesn't have xapo account then claimed amount will be returned to you after 7days.

Bought

sr. member

Activity: 266

Merit: 250

Fuck the bots. they're ruining all the faucets.

Funny

sr. member

Activity: 343

Merit: 250

Bonus Claim Url: http://betonline.wager.bz

Quote from: coinableS on December 19, 2015, 12:29:07 PM

My faucet was emptied in about an hour from a bot. Funcaptcha has been great against bots, but doesn't look like anymore.

The culprit referrer: 35iPaDcjQqViRkXXHnagGYoKGxvCpEmcZk

Wow. Never thought that funcaptcha was vulnerable. I had difficulties completing funcaptcha myself.

ixus

sr. member

Activity: 336

Merit: 250

Quote from: Racey on December 19, 2015, 01:49:34 PM

I also noted that ARAMAIC 2007 https://www.youtube.com/user/ARAMIC2007 has a bitcoin related website.
http://blog.yosyfovych.te.ua/

That guy writes about his big real humans referral network

for the faucets, while he's not hesitates to use bots and proxys for some services. Really sad and educational reading.

Gifted

hero member

Activity: 504

Merit: 501

Quote from: Racey on December 19, 2015, 01:49:34 PM

I also noted that ARAMAIC 2007 https://www.youtube.com/user/ARAMIC2007 has a bitcoin related website.

http://blog.yosyfovych.te.ua/

maybe we should do some sql injection on his site LOL

Racey

legendary

Activity: 1134

Merit: 1000

Soon, I have to go away.

I also noted that ARAMAIC 2007 https://www.youtube.com/user/ARAMIC2007 has a bitcoin related website.

http://blog.yosyfovych.te.ua/

coinableS

legendary

Activity: 1442

Merit: 1186

Quote from: Racey on December 19, 2015, 01:42:08 PM

Quote from: coinableS on December 19, 2015, 01:38:16 PM

Quote from: Racey on December 19, 2015, 01:34:59 PM

Quote from: coinableS on December 19, 2015, 12:29:07 PM

My faucet was emptied in about an hour from a bot. Funcaptcha has been great against bots, but doesn't look like anymore.

The culprit referrer: 35iPaDcjQqViRkXXHnagGYoKGxvCpEmcZk

The referrer has a you tube account https://www.youtube.com/user/ARAMIC2007

Got his addy from here 35iPaDcjQqViRkXXHnagGYoKGxvCpEmcZk

Yea I saw that too... What is interesting is that every single account this person "referred" is also a multisig address. Typically I only see a few multisig addresses here and there, then all of a sudden every single person is "referred" by this guy and every single one also has a multisig address. No coincidence.

So he is using multiple addresses it seems, are the ips the same, if not he is very clever on changing it.
I could be wrong in my assumption though.

Nope, the script I wrote only allows unique IP's, so it has to be a bot that changes it's IP and address for each claim thus racking up his balance in referral earnings from his fake bot referrals.

Topic: PSA: Bots have figured out funcaptcha (Read 1485 times)