UC San Diego

Modern Web services are typically free and open access, often supported by advertising revenue. These attributes, however, leave services vulnerable to many forms of abuse, including sending spam via Web-based email accounts, inflating page rank scores by spamming backlinks on blogs, etc. However, many of these schemes are nontrivial to execute, requiring technical expertise and access to ancillary resources (e.g. IP diversity, telephone numbers, etc.). Thus, many scammers prefer to offload the execution of their abuse schemes onto hired labor. This desire to minimize effort has created a demand for workers to carry out malicious tasks. Meanwhile, various online labor marketplaces have emerged that connect employers with cheap, human workers. Abusers have turned to online freelancing sites to find workers willing to carry out numerous schemes. Outsourcing is an attractive option for entrepreneurial scammers, as the workers are typically cheap, technically adept, and exist in vast numbers. In this dissertation, we investigate how outsourcing impacts the security of Web services; no longer must service providers be wary of automated tools, they must now contend with inexpensive human labor willing to do any menial task. In the first part of the dissertation, we characterize the role of freelance labor in Web service abuse, analyzing over seven years of data from the popular crowdsourcing site Freelancer.com, as well data from our own active job solicitations. We identify the largest classes of abuse work, including account creation, social networking link generation and search engine optimization support, and characterize how pricing and demand have evolved in supporting this activity. We show that scammers heavily employ outsourced labor, with abuse jobs constituting approximately 30% of the job solicitations on the site. Further, we demonstrate that workers quickly adapt their skill sets in responses to changes in demand for various abuse tasks. Lastly, the engagement portion of our study shows that workers actually deliver the promised goods, though the quality of the items is often variable. The second part of the dissertation focuses exclusively on the role of humans in circumventing CAPTCHAs. Human CAPTCHA solving services represent a heavily commercialized, outsourced abuse task, and we perform an in-depth analysis of this industry. CAPTCHAs are an ubiquitous defense used to protect open Web resources from being exploited at scale. In response to the widespread deployment of CAPTCHAs, a robust solving ecosystem has emerged, selling real-time human labor to bypass these protections. We analyze the behavior and dynamics of CAPTCHA-solving service providers, their price performance, and the underlying labor markets driving this economy. Ultimately, our work shows that CAPTCHAs are effective at differentiating between humans and computers. However, due to the vast number of human workers willing to solve CAPTCHAs for low wages, CAPTCHAs cannot necessarily prevent widespread abuse; instead, they serve as a low- cost economic impediment to abusers The results from these two studies demonstrate the increasing role that outsourcing plays in abusing Web services at scale. Furthermore, they suggest that Web services not only need to consider automated threats, but also must contend with an agile human labor pool. Lastly, they suggest one way to evaluate deployed security mechanisms, by monitoring the price and demand fluctuations for various abusively obtained products