Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Microsoft Patches Windows 11 OOBE Flaw in Cumulative Update
July 5, 2026
PamStealer Mimics Maccy, Silently Harvests Data
July 4, 2026
Critical FatFs Vulnerabilities Expose Millions of Embedded Devices
July 4, 2026
Home/Threats/Fake CAPTCHA Pages Lead to Costly International SMS Fraud
Threats

Fake CAPTCHA Pages Lead to Costly International SMS Fraud

Key Takeaways Cybercriminals are exploiting fake CAPTCHA pages to trick users into sending costly international SMS messages. This scheme, identified as International Revenue Share Fraud (IRSF), has...

Marcus Rodriguez
Marcus Rodriguez
April 24, 2026 5 Min Read
48 0

Key Takeaways

  • Cybercriminals are exploiting fake CAPTCHA pages to trick users into sending costly international SMS messages.
  • This scheme, identified as International Revenue Share Fraud (IRSF), has been active since at least June 2020.
  • Victims are lured through sophisticated Traffic Distribution Systems (TDS), making detection difficult.
  • A single interaction can cost a user approximately $30, with charges appearing weeks later on phone bills.
  • No legitimate CAPTCHA or online verification service requires sending an SMS message.

Sophisticated CAPTCHA Impersonation Leads to Global SMS Fraud

CAPTCHA tests, designed to differentiate legitimate human users from automated bots, are a fundamental security component across the internet. These familiar challenges, often involving image recognition or text entry, are meant to protect websites from malicious activity. However, a new wave of cybercriminal activity has weaponized this ubiquitous security measure, leveraging fake CAPTCHA pages to orchestrate a lucrative international SMS fraud scheme.

Table Of Content

  • Key Takeaways
  • Sophisticated CAPTCHA Impersonation Leads to Global SMS Fraud
  • The Deceptive Mechanism of IRSF
  • Evading Detection with Traffic Distribution Systems
  • How the Attack Mechanism Works
  • What You Should Do

Threat actors are deploying deceptive CAPTCHA pages that covertly compel users to send premium-rate international text messages, silently accumulating significant charges on their mobile phone bills. This malicious operation is part of a broader telecom fraud known as International Revenue Share Fraud (IRSF), a scheme that security researchers have tracked since at least June 2020.

The Deceptive Mechanism of IRSF

The fraudulent operation directs unsuspecting users to websites meticulously crafted to mimic authentic verification portals. Instead of presenting a standard CAPTCHA challenge, these counterfeit pages instruct visitors to send an SMS as a “human verification” step. Unbeknownst to the victims, these messages are routed to premium-rate numbers located in countries with exceptionally high termination fees, such as Azerbaijan, Egypt, and Myanmar.

Each text message successfully sent generates revenue for the fraudsters, who have established agreements with local carriers to receive a portion of these inflated telecom fees. The financial impact often goes unnoticed by victims for several weeks, only becoming apparent when their monthly phone statements arrive with unexpected and substantial charges.

Infoblox Threat Intel researchers conducted a comprehensive investigation into this operation, documenting its full scope. Their findings reveal that even a single interaction with one of these fake CAPTCHA pages can result in the dispatch of up to 60 international SMS messages to over 50 different destinations. This can cost an individual victim approximately thirty dollars in a single session. While the individual monetary impact might seem modest, the potential for millions of victims globally makes this a highly profitable enterprise for the perpetrators.

Evading Detection with Traffic Distribution Systems

A critical factor contributing to the severity of this threat is the sophisticated method used to direct victims to these malicious pages. The campaign employs a Traffic Distribution System (TDS), which acts as an intricate routing mechanism. This system funnels web traffic through multiple intermediary layers before ultimately delivering users to the fraudulent landing page. Researchers observed one attack chain initiating when a user visited a typosquatted domain resembling a major U.S. telecom company. This then triggered a series of redirects through various TDS nodes, culminating in the fake CAPTCHA interface. This complex infrastructure is instrumental in helping the operation evade detection by both security researchers and automated defense systems.

The IRSF scheme inflicts damage on both individual consumers and telecom carriers. Service providers frequently bear the burden of losses stemming from customer disputes while inadvertently channeling revenue to the fraudsters. Infoblox Threat Intel identified 35 distinct phone numbers across 17 countries involved in this campaign. The underlying infrastructure has maintained a consistent presence on the same network since June 2020. This broad geographical distribution makes it exceedingly challenging for any single telecom provider to ascertain the full extent of the fraud.

How the Attack Mechanism Works

The technical design behind these fake CAPTCHA pages is deceptively simple yet highly effective. Upon arriving at one of these pages, users are presented with what appears to be a typical CAPTCHA task, such as identifying specific objects or images. After each attempt to solve the challenge, a JavaScript component on the page silently communicates with the attacker’s server. This server then responds with a pre-configured list of international phone numbers and a pre-written SMS message. The user’s mobile device automatically opens their messaging application with these details pre-populated, requiring only a single tap to “send” the message.

Adding another layer of persistence, the campaign also incorporates “back button hijacking.” If a user attempts to navigate away from the page by pressing the browser’s back button, a script manipulates the browser history, redirecting the victim back to the CAPTCHA page. This loop, first observed in January 2023, effectively traps users until they force-close their browser. While a subtle disclaimer at the bottom of these pages broadly describes a “service exchange,” it conspicuously omits any mention that dozens of paid international messages will be sent, functioning as a deliberate act of misdirection rather than genuine disclosure.

When a user encounters this IRSF actor, they will be taken through a series of fake CAPTCHAs, each requiring an SMS message to prove they are human (Source - Infoblox)
When a user encounters this IRSF actor, they will be taken through a series of fake CAPTCHAs, each requiring an SMS message to prove they are human (Source – Infoblox)

What You Should Do

  • Never send an SMS message for CAPTCHA verification: No legitimate CAPTCHA or online verification service will ever require you to send a text message. Consider any request to do so as a red flag for fraud.
  • Regularly review your phone bill: Scrutinize your monthly mobile phone statements for any unexpected international SMS charges or unusual activity. Report suspicious charges to your carrier immediately.
  • Be cautious of unfamiliar websites and redirects: Exercise vigilance when clicking links or encountering unexpected redirects, especially if they lead to pages demanding unusual verification methods.
  • For organizations: Implement robust DNS security solutions to detect and block known Traffic Distribution Systems (TDS) and other malicious redirect domains.
  • For telecom carriers: Deploy real-time monitoring and anomaly detection systems to identify and block artificially inflated SMS traffic patterns indicative of IRSF. Collaboration across carriers is crucial given the international nature of these campaigns.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Hackers Exploit Telegram Desktop Vulnerability to Steal User Sessions

Next Post

Anthropic Claude Desktop Exposes Chromium Browser Data to Attackers

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
The Future of Encryption: Top Post-Quantum Cryptography Solutions for 2026
July 3, 2026
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us