Hackers Exploit Fake CAPTCHA Pages for International SMS Fraud Scheme
A new fraudulent scheme has emerged, where hackers are leveraging counterfeit CAPTCHA pages to orchestrate a silent yet profitable international SMS fraud operation. This nefarious activity turns the seemingly innocuous "prove you’re human" prompts into a revenue-generating mechanism built on international revenue share fraud (IRSF).
The process begins with cybercriminals constructing fake domains that mimic legitimate sites. These domains eventually redirect unsuspecting victims to a traffic distribution system (TDS), ultimately leading them to a fake CAPTCHA page. Unlike standard CAPTCHA that requires solving a puzzle to prove one’s humanity, users are instead prompted to confirm their identity by sending SMS messages from their own devices. This action is effortlessly launched through the device’s SMS application, pre-filled with a message directed at a long list of international numbers, requiring merely a tap on the send button from the victims.
Research indicates that the key to this scheme does not hinge on the difficulty of challenges presented to users, but rather on the sheer volume of messages generated. In one documented instance, four CAPTCHA prompts resulted in a staggering 60 outbound SMS messages sent during a single verification attempt. These numbers span across at least 17 countries, particularly focusing on regions with high SMS termination fees. Nations like Azerbaijan, Egypt, Myanmar, the Netherlands, and Kazakhstan are prime targets, maximizing the financial gains per victim session.
One of the key vulnerabilities of this scheme lies in the timeline of international SMS charges. You may find that charges for these messages appear on phone bills weeks after the fact, leaving many users unaware that the unexpected fees stem from a forgotten CAPTCHA they completed days earlier. This delay promotes customer confusion and reduces the likelihood that victims will connect the dots.
At the heart of this fraudulent enterprise is IRSF, where criminals either register or lease phone numbers in nations with high fees or those which operate under light regulations. When a victim sends an international SMS to these hijacked numbers, their mobile carrier pays a termination fee to the foreign operator, which subsequently shares a portion of that revenue with the fraudster controlling the number. While an individual victim might incur around $30 in SMS charges, the operation becomes vastly more lucrative when scaled across thousands of devices.
Industry observations reveal that this form of fraud is part of a far-reaching issue referred to as artificially inflated traffic (AIT), which also encompasses IRSF-generated messaging traffic. Alarmingly, it is currently classified as the foremost financially damaging form of messaging fraud on a global scale. Approximately half of telecom carriers report significant losses alongside high fraudulent traffic volumes linked to this scheme.
This fraud scheme imposes a dual financial burden on telecom operators. They not only disburse revenue shares to criminal actors but also frequently absorb costs related to customer refunds when victims dispute the fraudulent charges.
To further obfuscate their activities and maximize conversions, the scam heavily relies on established commercial TDS infrastructure, commonly utilized for distributing scareware, ad fraud, and malware. In one specific instance noted, a typosquatted telecom domain redirected users through numerous TDS nodes before finally landing on a fraudulent CAPTCHA and subsequent gambling or adult-content sites, which continually trigger SMS messages with each click.
Additionally, the campaign’s design includes tracking parameters in URLs and cookies, allowing it to monitor user attributes like country, language, internet service provider, device type, and campaign identifiers. These cookies contain extensive lists of "valid products" as well as a success rate flag, which client-side code uses to decide whether to retain a user within the SMS cycle or redirect them to another fake CAPTCHA controlled by an alternate actor.
Patterns observed in DNS show that multiple domains and subdomains adhere to common naming themes such as “chat,” “vids,” and “tips.” There is a concentration of these domains on a limited set of IPs, indicating a well-organized and durable operation that has been running since at least mid-2020.
To obscure their fraudulent actions and offer a façade of legitimacy, these pages typically include misleading “terms of service” at the bottom, instructing users to check international SMS prices without revealing that each CAPTCHA step sends messages to a multitude of foreign numbers.
This systematic fragmentation, combined with TDS-driven distribution across numerous countries and carriers, complicates the ability for any singular telecom operator or regulatory body to see the complete picture of fraud. This allows the scheme to persist largely unnoticed for an extended duration.
For telecommunications companies and enterprises, enhanced vigilance in monitoring unusual spikes in international SMS traffic, the sharing of IRSF indicators across carriers, and the detection of TDS-driven traffic chains are critical strategies to dismantle this emerging blend of fake CAPTCHA systems, SMS fraud, and exploitation of advertising technology.
As the industry grapples with this growing concern, awareness, vigilance, and collaboration among stakeholders will be vital to combat this sophisticated and troubling form of cybercrime.