Fake CAPTCHA Pages Lead to Costly International SMS Fraud
Key Takeaways Cybercriminals are exploiting fake CAPTCHA pages to trick users into sending costly international SMS messages. This scheme, identified as International Revenue Share Fraud (IRSF), has...
Key Takeaways
- Cybercriminals are exploiting fake CAPTCHA pages to trick users into sending costly international SMS messages.
- This scheme, identified as International Revenue Share Fraud (IRSF), has been active since at least June 2020.
- Victims are lured through sophisticated Traffic Distribution Systems (TDS), making detection difficult.
- A single interaction can cost a user approximately $30, with charges appearing weeks later on phone bills.
- No legitimate CAPTCHA or online verification service requires sending an SMS message.
Sophisticated CAPTCHA Impersonation Leads to Global SMS Fraud
CAPTCHA tests, designed to differentiate legitimate human users from automated bots, are a fundamental security component across the internet. These familiar challenges, often involving image recognition or text entry, are meant to protect websites from malicious activity. However, a new wave of cybercriminal activity has weaponized this ubiquitous security measure, leveraging fake CAPTCHA pages to orchestrate a lucrative international SMS fraud scheme.
Table Of Content
Threat actors are deploying deceptive CAPTCHA pages that covertly compel users to send premium-rate international text messages, silently accumulating significant charges on their mobile phone bills. This malicious operation is part of a broader telecom fraud known as International Revenue Share Fraud (IRSF), a scheme that security researchers have tracked since at least June 2020.
The Deceptive Mechanism of IRSF
The fraudulent operation directs unsuspecting users to websites meticulously crafted to mimic authentic verification portals. Instead of presenting a standard CAPTCHA challenge, these counterfeit pages instruct visitors to send an SMS as a “human verification” step. Unbeknownst to the victims, these messages are routed to premium-rate numbers located in countries with exceptionally high termination fees, such as Azerbaijan, Egypt, and Myanmar.
Each text message successfully sent generates revenue for the fraudsters, who have established agreements with local carriers to receive a portion of these inflated telecom fees. The financial impact often goes unnoticed by victims for several weeks, only becoming apparent when their monthly phone statements arrive with unexpected and substantial charges.
Infoblox Threat Intel researchers conducted a comprehensive investigation into this operation, documenting its full scope. Their findings reveal that even a single interaction with one of these fake CAPTCHA pages can result in the dispatch of up to 60 international SMS messages to over 50 different destinations. This can cost an individual victim approximately thirty dollars in a single session. While the individual monetary impact might seem modest, the potential for millions of victims globally makes this a highly profitable enterprise for the perpetrators.
Evading Detection with Traffic Distribution Systems
A critical factor contributing to the severity of this threat is the sophisticated method used to direct victims to these malicious pages. The campaign employs a Traffic Distribution System (TDS), which acts as an intricate routing mechanism. This system funnels web traffic through multiple intermediary layers before ultimately delivering users to the fraudulent landing page. Researchers observed one attack chain initiating when a user visited a typosquatted domain resembling a major U.S. telecom company. This then triggered a series of redirects through various TDS nodes, culminating in the fake CAPTCHA interface. This complex infrastructure is instrumental in helping the operation evade detection by both security researchers and automated defense systems.
The IRSF scheme inflicts damage on both individual consumers and telecom carriers. Service providers frequently bear the burden of losses stemming from customer disputes while inadvertently channeling revenue to the fraudsters. Infoblox Threat Intel identified 35 distinct phone numbers across 17 countries involved in this campaign. The underlying infrastructure has maintained a consistent presence on the same network since June 2020. This broad geographical distribution makes it exceedingly challenging for any single telecom provider to ascertain the full extent of the fraud.
How the Attack Mechanism Works
The technical design behind these fake CAPTCHA pages is deceptively simple yet highly effective. Upon arriving at one of these pages, users are presented with what appears to be a typical CAPTCHA task, such as identifying specific objects or images. After each attempt to solve the challenge, a JavaScript component on the page silently communicates with the attacker’s server. This server then responds with a pre-configured list of international phone numbers and a pre-written SMS message. The user’s mobile device automatically opens their messaging application with these details pre-populated, requiring only a single tap to “send” the message.
Adding another layer of persistence, the campaign also incorporates “back button hijacking.” If a user attempts to navigate away from the page by pressing the browser’s back button, a script manipulates the browser history, redirecting the victim back to the CAPTCHA page. This loop, first observed in January 2023, effectively traps users until they force-close their browser. While a subtle disclaimer at the bottom of these pages broadly describes a “service exchange,” it conspicuously omits any mention that dozens of paid international messages will be sent, functioning as a deliberate act of misdirection rather than genuine disclosure.

What You Should Do
- Never send an SMS message for CAPTCHA verification: No legitimate CAPTCHA or online verification service will ever require you to send a text message. Consider any request to do so as a red flag for fraud.
- Regularly review your phone bill: Scrutinize your monthly mobile phone statements for any unexpected international SMS charges or unusual activity. Report suspicious charges to your carrier immediately.
- Be cautious of unfamiliar websites and redirects: Exercise vigilance when clicking links or encountering unexpected redirects, especially if they lead to pages demanding unusual verification methods.
- For organizations: Implement robust DNS security solutions to detect and block known Traffic Distribution Systems (TDS) and other malicious redirect domains.
- For telecom carriers: Deploy real-time monitoring and anomaly detection systems to identify and block artificially inflated SMS traffic patterns indicative of IRSF. Collaboration across carriers is crucial given the international nature of these campaigns.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.