Fake CAPTCHA Pages Trigger Costly International SMS Fraud

Designed to distinguish humans from bots, CAPTCHA tests are a ubiquitous feature across the internet. These familiar challenges often involve tasks like selecting specific images or typing out obscured characters, serving as a fundamental security measure.

But cybercriminals have found a way to weaponize this process. Hackers are now building fake CAPTCHA pages that trick users into sending paid international text messages, quietly charging their phone bills.

This threat is tied to a telecom fraud scheme called International Revenue Share Fraud, or IRSF, active since at least June 2020.

The scheme lures users to websites that look like legitimate verification pages. Instead of a normal CAPTCHA, these fake pages instruct users to send an SMS message to prove they are human.

What victims do not know is that those messages go to phone numbers in countries with very high termination fees, such as Azerbaijan, Egypt, and Myanmar.

Every text generates revenue for the fraudster, who has pre-arranged a share of telecom fees with local carriers. Victims usually discover the damage weeks later when unexpected charges appear on their phone bill.

Infoblox Threat Intel researchers identified and documented this operation in full.

Their investigation found that a single interaction with one fake CAPTCHA page can trigger as many as 60 international SMS messages across more than 50 destinations, costing a victim around thirty dollars in one session.

While that may seem small individually, the scale across millions of potential victims makes it extremely profitable for the threat actors behind it.

What makes this threat particularly serious is how victims arrive at these pages.

The campaign uses a Traffic Distribution System, or TDS, which quietly routes web traffic through multiple layers before placing users on a malicious landing page.

Researchers traced one attack chain that began when a user visited a lookalike domain of a major U.S. telecom company, triggering a series of redirects through TDS nodes before landing on a fake CAPTCHA page.

This infrastructure helps the operation stay hidden from security researchers and automated detection systems.

The fraud harms both individuals and carriers at the same time. Telecom providers often absorb losses from customer disputes while unknowingly paying revenue to fraudsters.

Infoblox Threat Intel observed 35 phone numbers spanning 17 countries in this campaign, and the infrastructure has stayed consistent on the same network since June 2020. The spread across many countries makes it nearly impossible for any single provider to detect the full scope.

How the Attack Mechanism Works

The technical design of this fake CAPTCHA is simple, but its deception is effective. When a user lands on one of these pages, they see what looks like a normal task, such as identifying animals or choosing images.

After each answer, JavaScript quietly contacts the attacker’s server, which returns a pre-loaded list of international phone numbers and a pre-written message.

The user’s phone then opens the messaging app with those numbers and text already filled in. The victim only needs to tap send.

The campaign also uses back button hijacking. When a user tries to leave by pressing back, a script pushes the current URL into the browser history and redirects the victim back to the CAPTCHA page.

First observed in January 2023, this loop keeps users trapped until they force-close the browser.

A disclaimer at the bottom loosely frames the process as a service exchange but never discloses that dozens of paid international messages will be sent, making it misdirection rather than disclosure.

Never send an SMS message as part of any CAPTCHA or online verification process, as no legitimate service requires this. Check your phone bill monthly and contact your carrier immediately if unexpected international SMS charges appear.

Organizations should use DNS security tools to detect and block known TDS and malicious redirect domains.

Telecom carriers should implement real-time monitoring to identify and block artificially inflated SMS traffic. Avoiding spoofed pages and pop-ups is not enough. Do not send a text to confirm you are human.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.