Cybercriminals are exploiting the familiar CAPTCHA process, tricking unsuspecting internet users into sending expensive international text messages through fake verification pages. This emerging threat, documented by Infoblox Threat Intel researchers, is part of a sophisticated International Revenue Share Fraud (IRSF) scheme that has been active since at least June 2020. This tactic leverages deceptive web pages that mimic legitimate verification forms, but instead of a standard check, they prompt users to send an SMS, silently incurring significant charges on their phone bills.
The perpetrators of this fraud, often referred to as IRSF actors, have established agreements with telecom carriers in countries with exceptionally high SMS termination rates, such as Azerbaijan, Egypt, and Myanmar. Each message sent by a victim directly benefits the fraudster, who receives a predetermined revenue share. Typically, victims only become aware of the fraudulent activity much later when they review their surprisingly inflated phone bills, often weeks after the initial interaction with the fake CAPTCHA page.
Hackers Use Fake CAPTCHAs to Drive Costly International SMS Fraud
The deceptive nature of these fake CAPTCHA pages is their primary strength. These pages are designed to appear entirely legitimate, guiding users through what seems like a routine security check. During this process, users are instructed to send an SMS message to a specific number to prove they are human. However, unbeknownst to them, these messages are routed to premium-rate international numbers controlled by the fraudsters.
Infoblox Threat Intel’s investigation revealed the alarming scale of this operation. A single interaction with one of these deceptive CAPTCHA pages can trigger as many as 60 international SMS messages, potentially spanning over 50 different destination countries. This can result in an individual victim incurring approximately thirty dollars in charges from a single session. While this amount might seem minor in isolation, the cumulative effect across millions of potential victims generates substantial profits for the threat actors.
The method by which users are directed to these malicious pages is particularly concerning. The campaign utilizes a Traffic Distribution System (TDS), an intricate network that discreetly routes web traffic through numerous intermediary points before landing users on a malicious website. Researchers were able to trace one attack chain that commenced when a user visited a domain designed to look like a major U.S. telecom provider’s website. This initial visit then initiated a cascade of redirects through multiple TDS nodes, ultimately leading the user to a fake CAPTCHA page.
This sophisticated infrastructure plays a crucial role in the operation’s longevity and evasion tactics. By obscuring the true destination of the traffic, the TDS makes it exceedingly difficult for security researchers and automated detection systems to identify and dismantle the fraudulent network. The distributed nature of the attack, spanning numerous countries and phone numbers, further complicates efforts by individual telecom providers to detect the full scope of the fraud, as a single provider might only see a fraction of the overall activity.
The financial repercussions of this fraud extend to both individuals and telecom carriers. Individuals face unexpected and often substantial charges on their phone bills. Meanwhile, telecom providers frequently absorb the financial losses associated with customer disputes arising from these fraudulent charges. Moreover, carriers are unknowingly paying a portion of these inflated SMS fees to the fraudsters, effectively subsidizing the criminal enterprise. Infoblox Threat Intel identified 35 phone numbers across 17 countries implicated in this ongoing campaign, and their analysis indicates that the core infrastructure has remained consistent on the same network since June 2020, demonstrating a persistent and evolving threat.
How the Attack Mechanism Works
The technical sophistication of this attack lies in its deceptive simplicity. Once a user lands on a fake CAPTCHA page, they are presented with a task that appears innocuous, such as selecting images or identifying animals. The crucial element is the JavaScript embedded within these pages. After each user interaction, this script silently communicates with the attacker’s server. In response, the server sends back a pre-compiled list of international phone numbers and a corresponding pre-written SMS message.
The user’s mobile device then automatically initiates the messaging application, populating it with the attacker-provided numbers and message content. The victim’s only remaining action is to tap the send button, unknowingly triggering the expensive international SMS. This direct user action is key to the fraud, as it bypasses many automated fraud detection systems that might flag unsolicited bulk messaging from a single source.
Furthermore, the campaign employs back button hijacking techniques to trap users. If a user attempts to navigate away from the fake CAPTCHA page by pressing the back button in their browser, a malicious script intervenes. This script manipulates the browser’s history by reinserting the current malicious URL and then redirects the user back to the CAPTCHA page. This creates a loop, effectively forcing the user to remain on the page until they manually close the browser application. This tactic, first observed in January 2023, is designed to maximize the number of SMS messages sent.
A vague disclaimer often presented at the bottom of these pages attempts to frame the process as a necessary exchange for accessing content or services. However, this disclaimer fails to disclose the significant details: that dozens of paid international text messages will be sent. This constitutes misdirection rather than a transparent disclosure of the user’s actions and their financial implications, further highlighting the deceptive nature of the operation. Security experts consistently advise never to send an SMS message as part of any online verification or CAPTCHA process, as legitimate services do not require this action. Vigilance in monthly phone bill review and prompt reporting of unexpected international SMS charges to carriers are crucial protective measures for individuals.