Fraudulent CAPTCHA Pages Lead to SMS Scams

Internet users are well-acquainted with CAPTCHA tests, which are typically used to confirm that a user is human by having them select images or type characters. However, cybercriminals have adapted this verification process into a tool for deception. These criminals create fraudulent CAPTCHA pages that lead users unknowingly to send costly international SMS messages, which are then charged to their phone accounts.

Understanding the IRSF Scheme

The fraudulent activity is linked to a telecom fraud known as International Revenue Share Fraud (IRSF), which has been operational since at least June 2020. This scheme involves directing users to websites that mimic legitimate verification pages. Instead of a standard CAPTCHA, these pages instruct users to send a text message as proof of their humanity.

What these victims are unaware of is that their messages are sent to numbers in countries with high termination fees, such as Azerbaijan, Egypt, and Myanmar. Each message sent generates income for the fraudsters, who have pre-arranged agreements with local telecom carriers to share the revenue. Victims typically realize the scam weeks later when unexpected charges appear on their phone bills.

The Scale and Impact of the Scam

Researchers at Infoblox Threat Intel have thoroughly documented this operation. Their findings indicate that a single interaction with a fraudulent CAPTCHA page can lead to as many as 60 international text messages to over 50 destinations, costing the victim approximately thirty dollars per session. While this may seem minimal per individual, the cumulative effect across millions of potential victims makes it highly lucrative for the perpetrators.

The threat is exacerbated by the method victims use to arrive at these pages. The campaign employs a Traffic Distribution System (TDS), which inconspicuously routes web traffic through various layers before landing users on a malicious site. In one traced instance, a user visiting a mimic domain of a prominent U.S. telecom provider was redirected through multiple TDS nodes to a fake CAPTCHA page. This sophisticated infrastructure helps the scam evade detection from security systems and researchers.

How the Attack Mechanism Operates

The technical setup of these fake CAPTCHA pages is simple yet effective in its deception. Users are presented with what appears to be a standard task, such as selecting specific images. After each response, JavaScript on the page communicates with the attacker’s server, which sends back a list of international numbers and a message draft. The user’s device then opens a messaging app, pre-filled with this information, requiring only a tap to send.

A further complication in this scheme is the use of back button hijacking. When users attempt to navigate away by pressing the back button, a script manipulates the browser history, redirecting them back to the CAPTCHA page. First observed in January 2023, this tactic traps users in a loop until they forcibly close the browser. Although a disclaimer is present, it misleadingly suggests a service exchange without revealing the true nature of the SMS charges.

To safeguard against such threats, never send an SMS for CAPTCHA or verification purposes, as no legitimate service demands this. Regularly check your phone bill and immediately report any unexpected international SMS charges to your carrier. Organizations should deploy DNS security tools to block known TDS and malicious redirect domains, and telecom companies should implement real-time monitoring to prevent inflated SMS traffic. Staying vigilant against spoofed pages is crucial to protect against these scams.