Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Reduce Alert Fatigue to Improve SOC Efficiency and Cut Business Costs
July 1, 2026
Apple Hide My Email Flaw Exposed Real User Email Addresses
July 1, 2026
Home/Threats/Fake CAPTCHA Campaign Uses SMS Pumping Fraud to Increase Victims’ Phone Bills
Threats

Fake CAPTCHA Campaign Uses SMS Pumping Fraud to Increase Victims’ Phone Bills

Key Takeaways A new scam campaign is leveraging fake CAPTCHA pages to trick mobile users into unknowingly sending dozens of international premium-rate SMS messages. This “SMS pumping...

Jennifer sherman
Jennifer sherman
May 1, 2026 3 Min Read
54 0

Key Takeaways

  • A new scam campaign is leveraging fake CAPTCHA pages to trick mobile users into unknowingly sending dozens of international premium-rate SMS messages.
  • This “SMS pumping fraud” exploits legitimate telecom billing systems, leading to unexpected charges on victims’ phone bills, often around $30 per interaction.
  • The attack does not involve malware or device compromise, relying instead on social engineering and browser manipulation techniques like back-button hijacking.
  • The campaign targets everyday mobile users, redirecting them from malvertising or typosquatted domains to fraudulent CAPTCHA pages.

A sophisticated new scam campaign is exploiting the routine act of solving CAPTCHAs to silently trigger dozens of international premium SMS messages from victims’ mobile phones, leading to unexpected and costly charges on their monthly bills. This operation, identified as an International Revenue Share Fraud (IRSF) scheme, more commonly known as SMS pumping fraud, leverages the global telecom billing system to enrich cybercriminals without deploying any malware.

Table Of Content

  • Key Takeaways
  • Inside the Fraudulent Mechanism
  • What You Should Do

Most internet users are accustomed to CAPTCHA challenges, routinely clicking on images or solving simple puzzles to prove they are human. This ingrained habit is precisely what cybercriminals are exploiting. The campaign mimics “ClickFix-style” attacks, where users are manipulated into performing actions that inadvertently harm them, often without immediate awareness of the consequences.

The scheme’s core mechanism involves artificially inflating the volume of SMS messages sent to specific international numbers associated with high termination fees. A portion of these fees is then funneled back to the attackers through intricate revenue-sharing agreements embedded within the global telecommunications infrastructure.

Malwarebytes analyst Pieter Arntz documented this campaign, revealing it to be a long-running operation designed to target ordinary mobile internet users. What makes this particular fraud notable is its independence from malware or any form of device compromise. No malicious software is installed on the victim’s phone. Instead, the attackers exploit the operational nuances of telecom billing systems and affiliate networks, effectively converting everyday web traffic into a source of premium SMS revenue.

While an individual victim may not notice the impact immediately, a single interaction with these fake CAPTCHA pages can result in approximately $30 in international SMS charges on a typical consumer mobile plan.

Inside the Fraudulent Mechanism

Victims typically encounter these deceptive CAPTCHA pages after being rerouted through malicious advertising or Traffic Distribution System (TDS) redirects. A significant number of these redirects originate from typosquatted telecom domains—web addresses designed to closely resemble legitimate telecommunications company websites, capitalizing on user typos or inattention.

Upon landing on the fraudulent page, users are presented with what appears to be a standard image-selection or quiz-based CAPTCHA. The critical moment occurs when the user taps the “continue” button. This action triggers the phone’s native SMS application, pre-filling a message and populating a recipient list with numerous international numbers.

The fake CAPTCHA then guides the user through several steps. Each subsequent step sends additional messages to more than a dozen international destinations across 17 countries known for high SMS termination fees, including Azerbaijan, Myanmar, and Egypt. To prolong the user’s interaction and ensure multiple message sends, the attackers implement back-button hijacking. JavaScript on the scam page manipulates the browser’s history, causing the back button to reload the scam page rather than navigate away from it, effectively trapping the user.

Researchers also discovered that this campaign is linked to a Click2SMS-style affiliate network. This network openly advertises its willingness to accept “all kinds of traffic,” essentially marketing IRSF as a legitimate revenue generation tool for various web publishers, including those operating in grey areas.

What You Should Do

  • Never send an SMS to verify your identity online. Legitimate CAPTCHA systems function entirely within the browser and will never prompt you to open your SMS or phone dialer app.
  • Regularly scrutinize your mobile phone bill for any small, unfamiliar international SMS charges. This type of fraud often appears as minor charges that are easy to overlook.
  • If you identify suspicious charges, immediately dispute them with your mobile carrier. Consider requesting that international or premium SMS services be blocked on your account if you do not utilize them.
  • Exercise caution and avoid the following malicious domains associated with this campaign: sweeffg[.]online, colnsdital[.]com, zawsterris[.]com, megaplaylive[.]com, and ruelomamuy[.]com.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalware

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Critical Wireshark Vulnerabilities Allow Remote Code Execution

Next Post

China-Aligned Hackers Use ShadowPad, IOX Proxy, WMIC in Espionage Campaign

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Critical Buffa Rust Library 0-Day DoS Vulnerability in Anthropic
July 1, 2026
Critical Citrix NetScaler ADC and Gateway Bugs Allow DoS, Memory Overflow
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us