A sophisticated framework used to spam website chats and contact forms employs multiple CAPTCHA bypass mechanisms and network detection evasion techniques.
AkiraBot, a Python framework that targets the website contact forms and chat widgets of small and medium-sized businesses, successfully spammed over 80,000 websites since September 2024, research by cybersecurity company SentinelOne reveals.
At first, the framework appears to have targeted websites using Shopify. Later, the targeting expanded to include websites built using GoDaddy and Wix, as well as generic website contact forms, which include websites built using Squarespace.
“Originally, AkiraBot spammed website contact forms, enticing the site owner to purchase SEO services. Newer versions of AkiraBot have also targeted the Live Chat widgets integrated into many websites, including Reamaze widgets,” claims the company in its blog post.
AkiraBot generates custom spam messages for specific websites using a template with a general message outline.
A prompt sent to the OpenAI chat API processes the template to generate a customized outreach message based on the website's contents. The benefit of generating each message using a large language model is that the content is unique, and filtering against spam becomes more difficult than using a consistent message template.
According to SentinelOne, AkiraBot is modular and sophisticated compared to typical spam tools. For example, it puts significant emphasis on evading CAPTCHAs so that it can spam websites at scale.
The targeted CAPTCHA services include hCAPTCHA and reCAPTCHA, including Cloudflare’s hCAPTCHA service in certain versions of the tool.
“We identified an archive with files for CAPTCHA-related servers and browser fingerprints, which allow the bot’s web traffic to mimic a legitimate end user,” SentinelOne claims.
In addition, it uses many different proxy hosts to evade network detections and diversify the source of where its traffic comes from. In each archive that SentinelOne analyzed, AkiraBot used the SmartProxy service.
According to the company, the submissions.csv file from the January 2025 archives shows more than 80.000 unique domains that were successfully spammed.
Failed attempts are stored in .txt files, which show that in January 2025, only 11,000 domains failed. Overall, SentinelOne claims the framework targeted more than 420,000 unique domains.
Your email address will not be published. Required fields are markedmarked