Fake CAPTCHA Campaign Uses SMS Pumping Fraud to Increase Victims’ Phone Bills
Key Takeaways A new scam campaign is leveraging fake CAPTCHA pages to trick mobile users into unknowingly sending dozens of international premium-rate SMS messages. This “SMS pumping...
Key Takeaways
- A new scam campaign is leveraging fake CAPTCHA pages to trick mobile users into unknowingly sending dozens of international premium-rate SMS messages.
- This “SMS pumping fraud” exploits legitimate telecom billing systems, leading to unexpected charges on victims’ phone bills, often around $30 per interaction.
- The attack does not involve malware or device compromise, relying instead on social engineering and browser manipulation techniques like back-button hijacking.
- The campaign targets everyday mobile users, redirecting them from malvertising or typosquatted domains to fraudulent CAPTCHA pages.
A sophisticated new scam campaign is exploiting the routine act of solving CAPTCHAs to silently trigger dozens of international premium SMS messages from victims’ mobile phones, leading to unexpected and costly charges on their monthly bills. This operation, identified as an International Revenue Share Fraud (IRSF) scheme, more commonly known as SMS pumping fraud, leverages the global telecom billing system to enrich cybercriminals without deploying any malware.
Table Of Content
Most internet users are accustomed to CAPTCHA challenges, routinely clicking on images or solving simple puzzles to prove they are human. This ingrained habit is precisely what cybercriminals are exploiting. The campaign mimics “ClickFix-style” attacks, where users are manipulated into performing actions that inadvertently harm them, often without immediate awareness of the consequences.
The scheme’s core mechanism involves artificially inflating the volume of SMS messages sent to specific international numbers associated with high termination fees. A portion of these fees is then funneled back to the attackers through intricate revenue-sharing agreements embedded within the global telecommunications infrastructure.
Malwarebytes analyst Pieter Arntz documented this campaign, revealing it to be a long-running operation designed to target ordinary mobile internet users. What makes this particular fraud notable is its independence from malware or any form of device compromise. No malicious software is installed on the victim’s phone. Instead, the attackers exploit the operational nuances of telecom billing systems and affiliate networks, effectively converting everyday web traffic into a source of premium SMS revenue.
While an individual victim may not notice the impact immediately, a single interaction with these fake CAPTCHA pages can result in approximately $30 in international SMS charges on a typical consumer mobile plan.
Inside the Fraudulent Mechanism
Victims typically encounter these deceptive CAPTCHA pages after being rerouted through malicious advertising or Traffic Distribution System (TDS) redirects. A significant number of these redirects originate from typosquatted telecom domains—web addresses designed to closely resemble legitimate telecommunications company websites, capitalizing on user typos or inattention.
Upon landing on the fraudulent page, users are presented with what appears to be a standard image-selection or quiz-based CAPTCHA. The critical moment occurs when the user taps the “continue” button. This action triggers the phone’s native SMS application, pre-filling a message and populating a recipient list with numerous international numbers.
The fake CAPTCHA then guides the user through several steps. Each subsequent step sends additional messages to more than a dozen international destinations across 17 countries known for high SMS termination fees, including Azerbaijan, Myanmar, and Egypt. To prolong the user’s interaction and ensure multiple message sends, the attackers implement back-button hijacking. JavaScript on the scam page manipulates the browser’s history, causing the back button to reload the scam page rather than navigate away from it, effectively trapping the user.
Researchers also discovered that this campaign is linked to a Click2SMS-style affiliate network. This network openly advertises its willingness to accept “all kinds of traffic,” essentially marketing IRSF as a legitimate revenue generation tool for various web publishers, including those operating in grey areas.
What You Should Do
- Never send an SMS to verify your identity online. Legitimate CAPTCHA systems function entirely within the browser and will never prompt you to open your SMS or phone dialer app.
- Regularly scrutinize your mobile phone bill for any small, unfamiliar international SMS charges. This type of fraud often appears as minor charges that are easy to overlook.
- If you identify suspicious charges, immediately dispute them with your mobile carrier. Consider requesting that international or premium SMS services be blocked on your account if you do not utilize them.
- Exercise caution and avoid the following malicious domains associated with this campaign: sweeffg[.]online, colnsdital[.]com, zawsterris[.]com, megaplaylive[.]com, and ruelomamuy[.]com.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.