Fake CAPTCHA Campaign Uses SMS Pumping Fraud Victims’

A newly documented scam campaign is leveraging fake CAPTCHA pages to silently trigger dozens of international SMS messages from victims’ mobile phones. This malicious activity results in unexpected charges appearing on their phone bills.

What looks like a routine “prove you’re human” step online turns into a financial hit that many users never see coming.

CAPTCHAs have become so common on websites that most people interact with them without a second thought. Clicking traffic lights, selecting crosswalks, or solving simple puzzles feels routine and harmless.

Cybercriminals have learned to take advantage of this habit. This campaign follows the pattern of ClickFix-style attacks, where users are tricked into taking actions that work against themselves, often without knowing what they just did.

This particular operation runs what researchers describe as an International Revenue Share Fraud (IRSF) campaign, more commonly known as SMS pumping fraud.

The scheme works by inflating the volume of SMS messages sent to specific international destinations that carry high termination fees.

A portion of those fees then flows back to the attackers through revenue-sharing agreements built into the global telecom billing system.

Malwarebytes analyst, Pieter Arntz identified this campaign, noting that it is a long-running operation that targets everyday mobile users browsing the web.

What makes this scam stand out is that it does not rely on malware or device compromise. No software gets installed on the victim’s phone.

Instead, the scam exploits how telecom billing systems and affiliate networks operate, quietly converting ordinary web traffic into premium SMS revenue for criminals.

Each victim may not feel the hit immediately, but a single interaction can result in roughly $30 in international SMS charges on a standard consumer plan.

Inside the Infection Mechanism

Victims most often land on these fake CAPTCHA pages after being redirected through malvertising or Traffic Distribution System (TDS) redirects.

Many of these redirects originate from typosquatted telecom domains, meaning web addresses that closely resemble legitimate telecom company websites.

Once on the fake page, the user sees what appears to be a standard image-selection or quiz-style CAPTCHA.

When the user taps the button to “continue,” their phone’s native SMS application opens with a message already pre-filled, along with a pre-loaded recipient list. This is where the real damage happens.

The fake CAPTCHA takes the user through several steps, and each step sends a message to more than a dozen international numbers spanning 17 countries known for high SMS termination fees, including Azerbaijan, Myanmar, and Egypt.

To prevent users from simply leaving the page, attackers use back-button hijacking. JavaScript on the scam page rewrites the browser’s history so that pressing the back button just reloads the scam rather than taking the user away from it.

This traps users in the flow long enough to complete multiple SMS sends.

Researchers also found that this campaign connects to a Click2SMS-style affiliate network that openly advertises accepting “all kinds of traffic,” essentially packaging IRSF as a revenue tool for shady web publishers.

Users and organizations can take the following steps to reduce their risk from this type of fraud:-

• Never send an SMS to verify your identity online. Legitimate CAPTCHA systems work entirely within the browser and will never open your SMS or phone dialer app.
• Review your mobile bill regularly for small, unfamiliar international SMS charges. Fraud like this often appears as minor charges that are easy to miss.
• If suspicious charges appear, dispute them with your carrier immediately and request that international or premium SMS be blocked on your account if you do not use those services.
• The following malicious domains are associated with this campaign and should be avoided: sweeffg[.]online, colnsdital[.]com, zawsterris[.]com, megaplaylive[.]com, and ruelomamuy[.]com.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.