New Fake CAPTCHA Campaign Uses SMS Pumping Fraud to Run Up Victims\u2019 Phone Bills
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A newly documented scam campaign is using fake CAPTCHA pages to silently trigger dozens of international SMS messages from victims\u2019 mobile phones, leaving them with unexpected charges on their phone bills. <\/p>\n
What looks like a routine \u201cprove you\u2019re human\u201d step online turns into a financial hit that many users never see coming.<\/p>\n
CAPTCHAs have become so common on websites that most people interact with them without a second thought. Clicking traffic lights, selecting crosswalks, or solving simple puzzles feels routine and harmless. <\/p>\n
Cybercriminals have learned to take advantage of this habit. This campaign follows the pattern of ClickFix-style attacks<\/a>, where users are tricked into taking actions that work against themselves, often without knowing what they just did.<\/p>\n This particular operation runs what researchers describe as an International Revenue Share Fraud (IRSF) campaign, more commonly known as SMS pumping fraud. <\/p>\n The scheme works by inflating the volume of SMS messages sent to specific international destinations that carry high termination fees. <\/p>\n A portion of those fees then flows back to the attackers through revenue-sharing agreements built into the global telecom billing system. <\/p>\n Malwarebytes analyst, Pieter Arntz identified this campaign<\/a>, noting that it is a long-running operation that targets everyday mobile users browsing the web.<\/p>\n What makes this scam stand out is that it does not rely on malware or device compromise. No software gets installed on the victim\u2019s phone. <\/p>\n Instead, the scam exploits how telecom billing systems and affiliate networks operate, quietly converting ordinary web traffic into premium SMS revenue for criminals. <\/p>\n Each victim may not feel the hit immediately, but a single interaction can result in roughly $30 in international SMS charges on a standard consumer plan.<\/p>\n Victims most often land on these fake CAPTCHA pages after being redirected through malvertising or Traffic Distribution System (TDS) redirects. <\/p>\n Many of these redirects originate from typosquatted telecom domains, meaning web addresses that closely resemble legitimate telecom company websites. <\/p>\n Once on the fake page, the user sees what appears to be a standard image-selection or quiz-style CAPTCHA.<\/p>\n When the user taps the button to \u201ccontinue,\u201d their phone\u2019s native SMS application<\/a> opens with a message already pre-filled, along with a pre-loaded recipient list. This is where the real damage happens. <\/p>\n The fake CAPTCHA takes the user through several steps, and each step sends a message to more than a dozen international numbers spanning 17 countries known for high SMS termination fees, including Azerbaijan, Myanmar, and Egypt.<\/p>\n To prevent users from simply leaving the page, attackers use back-button hijacking. JavaScript on the scam page<\/a> rewrites the browser\u2019s history so that pressing the back button just reloads the scam rather than taking the user away from it. <\/p>\n This traps users in the flow long enough to complete multiple SMS sends. <\/p>\n Researchers also found that this campaign connects to a Click2SMS-style affiliate network that openly advertises accepting \u201call kinds of traffic,\u201d essentially packaging IRSF as a revenue tool for shady web publishers.<\/p>\n Users and organizations can take the following steps to reduce their risk from this type of fraud:-<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post New Fake CAPTCHA Campaign Uses SMS Pumping Fraud to Run Up Victims\u2019 Phone Bills<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nInside the Infection Mechanism<\/strong><\/h2>\n
\n