Completely Automated Public Turing Test To Tell Computers and Humans Apart (CAPTCHA) has been implemented on many websites to identify between harmful automated bots and legitimate users. However, the revenue generated by the bots has turned circumventing CAPTCHAs into a lucrative business. Although earlier studies provided information about text-based CAPTCHAs and the associated CAPTCHA-solving services, a lot has changed in the past decade regarding content, suppliers, and solvers of CAPTCHA. We have conducted a comprehensive investigation of the latest third-party CAPTCHA providers and CAPTCHA-solving services' attacks. We dug into the details of CAPTCHA-As-a-Service and the latest CAPTCHA-solving services and carried out adversarial experiments on CAPTCHAs and CAPTCHA solvers. The experiment results show a worrying fact: most latest CAPTCHAs are vulnerable to both human solvers and automated solvers. New CAPTCHAs based on hard AI problems and behavior analysis are needed to stop CAPTCHA solvers.

翻译：完全自动化公共图灵测试（CAPTCHA）已被广泛应用于众多网站，以区分有害的自动化机器人与合法用户。然而，机器人所创造的收益已使绕过CAPTCHA成为一项有利可图的业务。尽管早期研究提供了关于文本型CAPTCHA及其相关破解服务的信息，但过去十年间，CAPTCHA的内容、供应商及破解方法已发生巨大变化。我们对最新的第三方CAPTCHA提供商及CAPTCHA破解服务的攻击行为进行了全面调查。我们深入剖析了CAPTCHA即服务（CAPTCHA-As-a-Service）及最新CAPTCHA破解服务的细节，并对CAPTCHA与CAPTCHA破解器开展了对抗性实验。实验结果揭示了一个令人担忧的事实：大多数最新型的CAPTCHA对人工破解者与自动化破解者均存在脆弱性。为遏制CAPTCHA破解器，亟需开发基于强人工智能难题与行为分析的新型CAPTCHA。