Hackers Exploit CAPTCHA to Launch International SMS Fraud

Cybercriminals are increasingly exploiting familiar online verification tools to carry out sophisticated telecom fraud, and this time they have turned CAPTCHA into a weapon. Commonly used to distinguish humans from bots, CAPTCHA tests are now being manipulated to trick unsuspecting users into sending premium international SMS messages, ultimately leading to unexpected and often costly charges.

The scheme is closely linked to International Revenue Share Fraud (IRSF), a telecom fraud model that has been active since June 2020. In this evolving campaign, attackers create fake CAPTCHA pages that closely resemble legitimate verification screens. However, instead of asking users to identify images or solve puzzles, these pages instruct them to send a text message as part of the verification process. As a result, victims unknowingly send SMS messages to high-cost international numbers located in countries such as Azerbaijan, Egypt, and Myanmar.

Each message generates revenue for the attackers, who have already arranged agreements with telecom operators in those regions to share the profits. Consequently, victims remain unaware of the fraud until they review their phone bills weeks later and discover unexpected international charges. This delayed realization makes the scheme particularly effective and difficult to trace back to its source.

Researchers from Infoblox Threat Intel have closely examined and documented this campaign. Their findings reveal that a single interaction with one of these fake CAPTCHA pages can trigger as many as 60 international SMS messages sent to over 50 destinations. In many cases, this results in a cost of approximately $30 for a single session. While the individual loss may seem relatively small, the scale of the attack across millions of users makes it highly profitable for cybercriminals.

Moreover, the method used to direct users to these malicious pages adds another layer of complexity. Attackers employ a Traffic Distribution System (TDS), which silently redirects web traffic through multiple intermediary nodes before delivering users to the fraudulent CAPTCHA page. In one observed attack chain, a user initially visited a domain mimicking a major U.S. telecom provider, only to be redirected multiple times before landing on the malicious page. This layered infrastructure helps attackers evade detection by both security researchers and automated defense systems.

At the same time, the fraud significantly impacts telecom providers as well. While customers dispute unexpected charges, carriers often absorb the financial losses and, unknowingly, continue sharing revenue with fraudsters. Infoblox researchers identified 35 phone numbers connected to 17 different countries within this campaign, indicating its global reach and persistence over time.

The technical mechanism behind the attack remains deceptively simple yet highly effective. When users land on a fake CAPTCHA page, they encounter tasks that appear legitimate, such as selecting images or identifying objects. Behind the scenes, however, embedded scripts communicate with attacker-controlled servers, which generate a list of international phone numbers along with pre-written messages. The victim’s messaging application then opens automatically with all details pre-filled, requiring only a single tap to send the SMS.

In addition, attackers use a tactic known as back-button hijacking to keep users trapped on the page. When a user attempts to leave by pressing the back button, the page manipulates the browser history and redirects them back to the same CAPTCHA screen. First identified in January 2023, this looping mechanism increases the likelihood that users will complete the fraudulent action.

Although some pages include disclaimers, they vaguely describe the process as a service exchange and fail to clearly inform users that multiple paid international messages will be sent. This deliberate lack of transparency turns the disclaimer into a tool for misdirection rather than genuine disclosure.

Security experts strongly emphasize that no legitimate service will ever require users to send an SMS as part of a CAPTCHA or online verification process. Users are advised to remain cautious, regularly review their phone bills, and immediately report any suspicious international charges to their telecom provider. As cybercriminals continue to refine their tactics, awareness remains one of the most effective defenses against such deceptive schemes.

Recommended Cyber Technology News:

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com

🔒 Login or Register to continue reading

Tags: cyberattack, Fake CAPTCHA, Infoblox, IRSF, SMS Fraud, telecom fraud

CyberTech Media Room

CyberTech Media Room is the editorial intelligence arm of CyberTech Insights, focused on delivering high-impact narratives at the intersection of cybersecurity, data infrastructure, AI systems, and enterprise risk. Built for decision-makers, analysts, and technology leaders, the CyberTech Media Room translates complex security developments into structured, actionable intelligence. Its coverage spans threat landscapes, regulatory shifts, cyber resilience frameworks, and emerging technologies shaping modern enterprise defense. The editorial approach is grounded in three principles: Signal over noise — prioritizing relevance, depth, and strategic clarity over volume Intelligence-led storytelling — combining data, expert perspectives, and market context Decision utility — ensuring every piece contributes to informed business or technology outcomes CyberTech Media Room collaborates with industry practitioners, researchers, and enterprise leaders to surface insights that matter—from boardroom-level risk considerations to operational security strategies. Positioned beyond traditional media, it operates as a strategic intelligence layer for organizations navigating an increasingly complex and adversarial digital environment.