Fake CAPTCHA Scam Abuses Verification Clicks to Send Costly International Texts

Summary

Security researchers at Infoblox uncovered a long-running International Revenue Share Fraud (IRSF) scheme operating since June 2020 that uses fake CAPTCHA pages and back button hijacking to deceive victims into sending high-cost SMS messages to international numbers. The attack chain begins with typosquatted domains that redirect through a Traffic Distribution System to scam landing pages, where victims are tricked into completing fake verification steps that trigger automated SMS messages to numbers in 17 countries including Azerbaijan, Kazakhstan, and Myanmar. Charges can exceed $30 per session and often go unnoticed for weeks, allowing scammers to maximize revenue across multiple carriers.

Full text

Security Scams and FraudFake CAPTCHA Scam Abuses Verification Clicks to Send Costly International Texts Research from Infoblox reveals a massive Click2SMS fraud scheme using fake CAPTCHAs and back button hijacking to trick victims into sending costly international texts. byDeeba AhmedApril 25, 20262 minute read Network security firm Infoblox has disclosed details on a long-running fraud operation that has been quietly draining bank accounts since at least June 2020. This scam uses fake CAPTCHA pages to carry out a specific type of cybercrime known as International Revenue Share Fraud, or IRSF. While most people see CAPTCHA as a boring but necessary way to prove they are human, the scammers behind this campaign have converted this process into a profit-making tool by tricking users into sending high-cost international text messages. The Attack Chain According to cybersecurity researchers at Infoblox Threat Intelligence, the attack begins when a person accidentally visits a typosquatted domain. These are lookalike addresses designed to mimic famous telecommunications brands. When the user lands on the wrong page, they are forced towards a complex Traffic Distribution System (TDS). In a recent observation from March 2026, researchers tracked this path as it moved through several nodes, including a commercial advertising network in Germany, before reaching a landing page controlled by the scammers, such as zawsterriscom. Redirection chain that leads to a fake CAPTCHA page (Source: Infoblox) Technical Methods of Deception When the victim visits the fake CAPTCHA, they are asked simple questions about their device type (iOS or Android) or network speed (4G or WiFi), which is unlike how CAPTCHA checks actually work. And, that’s where the trick lies; every time the victim clicks an answer, a JavaScript function called makeTrackerDownload.php is triggered, which forces their phone to open its SMS app with a pre-filled message and a long list of international phone numbers. By the time the four-step verification is complete, the victim may have sent 60 messages to over 50 different destinations. These messages are routed to 35 phone numbers across 17 different countries with high termination fees, like Azerbaijan, Kazakhstan, and Myanmar. Fake CAPTCHA process (Source: Infoblox) Trapping the Victim To ensure the victim does not leave before the job is done, the threat actors use a technique called back button hijacking, which Google recently banned. By using a specific coding method to manipulate the browser history, the hackers trap the user in a loop. If the person tries to click back to a safe site, the script simply refreshes the scam page. This persistent interaction allows the scammers to maximise their revenue across multiple carriers. Researchers noted that the charges, which can total $30 or more per session, often do not appear on a phone bill for weeks, and the victim has most probably forgotten the website by the time they see the financial damage. Attribution Infoblox researchers have attributed this activity to an affiliate of a European Click2SMS network, which uses infrastructure hosted on AS15699, also known as Adam Ecotech. Further investigation found that the same systems used to spread malware and scareware are now being used to industrialise phone fraud. Nevertheless, watch out for such scams, as a legitimate security check will never require you to send a text message to prove your identity. (Photo by kuu akura on Unsplash) Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience… CaptchaCyber AttackCybersecurityFraudPrivacyScamSMS Leave a Reply Cancel reply View Comments (0) Related Posts Read More News Cyber Crime Security Technology Two US Citizens Charged for Hacking into DEA Portal in 2022 Both suspects, Sagar Steven Singh and Nicholas Ceraolo, were reportedly members of a notorious cybercrime group, ViLE. Two… byDeeba Ahmed Read More Hacking News Security Surveillance Stalkerware App “TheTruthSpy” Hacked Again, 50,000 Device Data Stolen The infamous stalkerware app was hacked by SiegedSec and ByteMeCrew, who shared the data with Switzerland-based hacker Maia Arson Crimew. byWaqas Security John McAfee supports his pal who found security flaw, hacked an aircraft Summary: An official statement issued by an FBI agent reveals that InfoSec researcher Chris Roberts has confessed to hacking… byWaqas Read More Hacking News Security Indian Ticketing Platform RailYatri Hacked – 31 Million Impacted Among personal information, the RailYatri hack has also exposed the location details of millions of travellers across India.… byWaqas

Indicators of Compromise

• malware — makeTrackerDownload.php

Entities