Security News > 2023 > January > Hackers Using CAPTCHA Bypass Tactics in Freejacking Campaign on GitHub

A South Africa-based threat actor known as Automated Libra has been observed employing CAPTCHA bypass techniques to create GitHub accounts in a programmatic fashion as part of a freejacking campaign dubbed PURPLEURCHIN. The group "Primarily targets cloud platforms offering limited-time trials of cloud resources in order to perform their crypto mining operations," Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist said.

PURPLEURCHIN first came to light in October 2022 when Sysdig disclosed that the adversary created as many as 30 GitHub accounts, 2,000 Heroku accounts, and 900 Buddy accounts to scale its operation.

Now according to Unit 42, the cloud threat actor group created three to five GitHub accounts every minute at the height of its activity in November 2022, totally setting up over 130,000 bogus accounts across Heroku, Togglebox, and GitHub.

More than 22,000 GitHub accounts are estimated to have been created between September and November 2022: three in September, 1,652 in October, and 20,725 in November.

Besides automating the account creation process by leveraging legitimate tools like xdotool and ImageMagick, the threat actor has also been found to take advantage of weakness within the CAPTCHA check on GitHub to further its illicit objectives.

The findings illustrate how the freejacking campaign can be weaponized to maximize returns by increasing the number of accounts that can be created per minute on these platforms.

News URL

https://thehackernews.com/2023/01/hackers-using-captcha-bypass-tactics-in.html