Hackers Using CAPTCHA Bypass Tactics in Freejacking Campaign on GitHub

A South Africa-based threat actor known as Automated Libra has been observed employing CAPTCHA bypass techniques to create GitHub accounts in a programmatic fashion as part of a freejacking campaign dubbed PURPLEURCHIN.

Now according to Unit 42, the cloud threat actor group created three to five GitHub accounts every minute at the height of its activity in November 2022, totally setting up over 130,000 bogus accounts across Heroku, Togglebox, and GitHub.

More than 22,000 GitHub accounts are estimated to have been created between September and November 2022, three in September, 1,652 in October, and 20,725 in November. A total of 100,723 unique Heroku accounts have also been identified.

The cybersecurity company also termed the abuse of cloud resources as a “play and run” tactic designed to avoid paying the platform vendor’s bill by making use of falsified or stolen credit cards to create premium accounts.

Its analysis of 250GB of data puts the earliest sign of the crypto campaign at least nearly 3.5 years ago in August 2019, identifying the use of more than 40 wallets and seven different cryptocurrencies.

The core idea that undergirds PURPLEURCHIN is the exploitation of computational resources allocated to free and premium accounts on cloud services in order to reap monetary profits on a massive scale before losing access for non-payment of dues.

The findings illustrate how the freejacking campaign can be weaponized to maximize returns by increasing the number of accounts that can be created per minute on these platforms.

“It is important to note that Automated Libra designs their infrastructure to make the most use out of CD/CI tools,” the researchers concluded.

“This is getting easier to achieve over time, as the traditional VSPs are diversifying their service portfolios to include cloud-related services. The availability of these cloud-related services makes it easier for threat actors, because they don’t have to maintain infrastructure to deploy their applications.”

Related posts:

Part 1 of this article goes over how to containerise a simple node.js application and deploy it using docker. The importance/point of docker is the ability to put all of your application and it’s…

Being a successful music producer involves more than just technical skills — it also requires creativity, business savvy, and the ability to adapt to the constantly changing music industry. Here are…

Are you feeling those January blues? Cheer yourself up with some of the hottest music of the moment, here’s our Top 10 New Tracks. Angelo De Augustine is a singer-songwriter hailing from Thousand…