Pages:
Author

Topic: PSA: Bots have figured out funcaptcha (Read 1497 times)

member
Activity: 120
Merit: 10
December 21, 2015, 04:35:39 AM
#28
Hi everyone,

We appreciate everyone's diligence! The good news is that we're not seeing any traffic that would indicate a breach but we want to be sure. Can you please link me to the faucet which you believe is seeing enhanced bot traffic? This will allow us to confirm if there is or isn't bot activity.

Thanks,
James


I have better Idea for you FunCaptcha. FunCaptcha should introduce new feature that every user must be registered with Funcaptcha and to solve captcha user must login. And user account must be verified with phone verification. This might reduce allot of bot attacks, also funcaptcha can then watch suspicious location activity.

Bot Makers will have then allot of struggle to solve it. CaptchaSolver services introducing allot of new ways daily to solve any kind of captcha.
I had a bot attack and funcaptcha not worked during attack.
hero member
Activity: 868
Merit: 500
December 21, 2015, 03:12:50 AM
#27
The truth is 90-99% cheating/spams done by real humans not by bot .
sr. member
Activity: 336
Merit: 250
December 21, 2015, 02:59:37 AM
#26
Looking at https://faucetbox.com/check/35iPaDcjQqViRkXXHnagGYoKGxvCpEmcZk
It's probably http://bitcodice.com/ . It has "4 factor" Funcaptcha and as I told is susceptible to a proxy scheme. But captcha, most probably, is solved by a real person, not a bot.
legendary
Activity: 1134
Merit: 1000
Soon, I have to go away.
December 20, 2015, 05:52:18 PM
#25
That's why I said don't use faucet box script . Create a xapo faucet and force users to claim with only email . A xapo user need to create a verified xapo account in order to withdraw his fund if email doesn't have xapo account then claimed amount will be returned to you after 7days.
Not to put xapo down because i own one too,  btc address works too.Xapo cashes them out on the btc address when it reaches 5500 and there is a way to change  when they cash out through their api

That's why I said force users to enter only email and you can do it by simple coding.

Send me a phone to use Xapo  Grin You cannot penalize users with no moblie phone.
newbie
Activity: 7
Merit: 0
December 20, 2015, 05:45:36 PM
#24
Hi everyone,

We appreciate everyone's diligence! The good news is that we're not seeing any traffic that would indicate a breach but we want to be sure. Can you please link me to the faucet which you believe is seeing enhanced bot traffic? This will allow us to confirm if there is or isn't bot activity.

Thanks,
James
legendary
Activity: 1736
Merit: 1029
December 20, 2015, 11:11:35 AM
#23
Thou OP don't shares his faucet link, my opinion is that it rather proxy scheme than the bot one.  If you use two different type of captchas simultaneously and consequently it will reduce probability for bots. But, in the other hand, too complicated claiming procedure(especially with those "anti-bot" tricks ) will repel simple users. 
Yeah, many might get annoyed and just leave your faucet and never come back.  Why not just switch your captcha provider and see what happens?
full member
Activity: 224
Merit: 100
★777Coin.com★ Fun BTC Casino!
December 20, 2015, 04:13:18 AM
#22
Bad news for faucet owners if your settings were the highest against bots.
sr. member
Activity: 336
Merit: 250
December 20, 2015, 01:48:59 AM
#21
Thou OP don't shares his faucet link, my opinion is that it rather proxy scheme than the bot one.  If you use two different type of captchas simultaneously and consequently it will reduce probability for bots. But, in the other hand, too complicated claiming procedure(especially with those "anti-bot" tricks ) will repel simple users. 
hero member
Activity: 868
Merit: 500
December 19, 2015, 11:09:04 PM
#20
That's why I said don't use faucet box script . Create a xapo faucet and force users to claim with only email . A xapo user need to create a verified xapo account in order to withdraw his fund if email doesn't have xapo account then claimed amount will be returned to you after 7days.
Not to put xapo down because i own one too,  btc address works too.Xapo cashes them out on the btc address when it reaches 5500 and there is a way to change  when they cash out through their api

That's why I said force users to enter only email and you can do it by simple coding.
hero member
Activity: 770
Merit: 500
✪ NEXCHANGE | BTC, LTC, ETH & DOGE ✪
December 19, 2015, 11:07:19 PM
#19
Too bad, as a faucet user, I like funcaptcha. It is easy to complete and fast, and you do not make mistakes easy as with other faucets in which you have to type to complete.
hero member
Activity: 504
Merit: 501
December 19, 2015, 10:09:51 PM
#18
That's why I said don't use faucet box script . Create a xapo faucet and force users to claim with only email . A xapo user need to create a verified xapo account in order to withdraw his fund if email doesn't have xapo account then claimed amount will be returned to you after 7days.
Not to put xapo down because i own one too,  btc address works too.Xapo cashes them out on the btc address when it reaches 5500 and there is a way to change  when they cash out through their api
sr. member
Activity: 343
Merit: 250
Bonus Claim Url: http://betonline.wager.bz
December 19, 2015, 09:36:12 PM
#17
That's why I said don't use faucet box script . Create a xapo faucet and force users to claim with only email . A xapo user need to create a verified xapo account in order to withdraw his fund if email doesn't have xapo account then claimed amount will be returned to you after 7days.

Wow.. I never knew that was the case.

I'm might develop my own faucet, now that I see that's the case I'll definitely stick with Xapo if I do open a faucet.
hero member
Activity: 868
Merit: 500
December 19, 2015, 09:02:05 PM
#16
My faucet was emptied in about an hour from a bot. Funcaptcha has been great against bots, but doesn't look like anymore.

The culprit referrer: 35iPaDcjQqViRkXXHnagGYoKGxvCpEmcZk


As I know your captcha wasn't set to advance security .
hero member
Activity: 868
Merit: 500
December 19, 2015, 08:59:58 PM
#15
That's why I said don't use faucet box script . Create a xapo faucet and force users to claim with only email . A xapo user need to create a verified xapo account in order to withdraw his fund if email doesn't have xapo account then claimed amount will be returned to you after 7days.
sr. member
Activity: 266
Merit: 250
December 19, 2015, 08:19:12 PM
#14
Fuck the bots. they're ruining all the faucets.
sr. member
Activity: 343
Merit: 250
Bonus Claim Url: http://betonline.wager.bz
December 19, 2015, 06:45:06 PM
#13
My faucet was emptied in about an hour from a bot. Funcaptcha has been great against bots, but doesn't look like anymore.

The culprit referrer: 35iPaDcjQqViRkXXHnagGYoKGxvCpEmcZk



Wow. Never thought that funcaptcha was vulnerable. I had difficulties completing funcaptcha myself.
sr. member
Activity: 336
Merit: 250
December 19, 2015, 02:42:53 PM
#12
I also noted that ARAMAIC 2007 https://www.youtube.com/user/ARAMIC2007   has a bitcoin related website.
http://blog.yosyfovych.te.ua/
That guy writes about his big real humans referral network  Smiley for the faucets, while he's not hesitates to use bots and proxys for some services. Really sad and educational reading.
hero member
Activity: 504
Merit: 501
December 19, 2015, 02:01:32 PM
#11
I also noted that ARAMAIC 2007 https://www.youtube.com/user/ARAMIC2007   has a bitcoin related website.

http://blog.yosyfovych.te.ua/
maybe we should do some sql injection on his site  LOL
legendary
Activity: 1134
Merit: 1000
Soon, I have to go away.
December 19, 2015, 01:49:34 PM
#10
I also noted that ARAMAIC 2007 https://www.youtube.com/user/ARAMIC2007   has a bitcoin related website.

http://blog.yosyfovych.te.ua/
legendary
Activity: 1442
Merit: 1186
December 19, 2015, 01:46:32 PM
#9
My faucet was emptied in about an hour from a bot. Funcaptcha has been great against bots, but doesn't look like anymore.

The culprit referrer: 35iPaDcjQqViRkXXHnagGYoKGxvCpEmcZk



The referrer has a you tube account https://www.youtube.com/user/ARAMIC2007

Got his addy from here 35iPaDcjQqViRkXXHnagGYoKGxvCpEmcZk

Yea I saw that too... What is interesting is that every single account this person "referred" is also a multisig address. Typically I only see a few multisig addresses here and there, then all of a sudden every single person is "referred" by this guy and every single one also has a multisig address. No coincidence.

So he is using multiple addresses it seems, are the ips the same, if not he is very clever on changing it.
I could be wrong in my assumption though.

Nope, the script I wrote only allows unique IP's, so it has to be a bot that changes it's IP and address for each claim thus racking up his balance in referral earnings from his fake bot referrals.
Pages:
Jump to: