Abonnement aktivieren >
Geräte hinzufügen oder aktualisieren >
Abonnement erneuern >
Sicherer Hub >
Sie haben noch kein Konto?
Registrieren >
< Products
Have a current computer infection?
Worried it’s a scam?
Try our antivirus with a free, full-featured 14-day trial
Get your free digital security toolkit
Find the right cyberprotection for you
< Business
< Pricing
Protect your personal devices and data
Protect your team’s devices and data – no IT skills needed
Explore award-winning endpoint security for your business
< Resources
< Support
Malwarebytes and Teams Customers
Nebula and Oneview Customers
Researchers have documented a long‑running campaign that uses fake CAPTCHA pages to trick mobile users into sending dozens of international SMS messages in the background.
If you’ve spent any time on today’s web, CAPTCHAs may seem like background noise: click a few traffic lights, prove you’re human, move on. Something scammers have learned to abuse in ClickFix campaigns where they lure victims into infecting their own machines.
Recently, though, researchers found a twist where “prove you’re human” quietly turns into “run up an international phone bill.” The research describes an International Revenue Share Fraud (IRSF) campaign. IRSF, also known as SMS pumping fraud, abuses the complex pricing structures of international calls and SMS traffic to generate revenue by inflating message volume to particular destinations.
Instead of installing malware on the victim’s device, the scam exploits how telecom billing and affiliate networks work, turning ordinary web traffic into premium SMS revenue for cybercriminals.
A typical flow for the scam looks like this:
On a typical consumer plan, that can translate to roughly $30 in international SMS charges per person, with a slice of the termination fees flowing back to the attacker via revenue‑sharing agreements.
To keep you from simply backing out, the pages deploy dedicated back‑button hijacking. JavaScript rewrites browser history and bounces you back to the scam when you try to leave. The researchers also found the campaign was plugged into a Click2SMS‑style affiliate network that advertises “all kinds of traffic allowed” and carrier billing, effectively packaging IRSF as another monetization option for shady publishers.
This operation defrauds both individuals and telecom carriers. Victims face unexpected premium SMS charges on their bills and may struggle to trace the cause. Carriers pay revenue shares to the perpetrators and may absorb losses from customer disputes or chargebacks.
TRY IT NOW
Never send an SMS to “prove you’re human.” Legitimate CAPTCHAs run entirely in your browser. They won’t open your SMS or dialer app.
Check your mobile bill regularly for small, unfamiliar international SMS charges, not just big spikes. If you see anything suspicious, dispute it quickly and ask your provider to block international or premium SMS if you don’t need it.
Use a mobile protection app that blocks known malicious sites, like these domains involved in this campaign:
Scammers know more about you than you think.
Malwarebytes Mobile Security protects you from phishing, scam texts, malicious sites, and more. With real-time AI-powered Scam Guard built right in.
Download for iOS → Download for Android →
SHARE THIS ARTICLE
Pieter Arntz 
Malware Intelligence Researcher
Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.
A list of topics we covered in the week of April 20 to April 26 of 2026
Despite strict access controls, medical data from half a million UK Biobank volunteers ended up listed for sale on Alibaba.
We look at how cybercrime targeting companies affects all of us, especially their customers.
A week in security (April 20 – April 26)
Medical data of 500,000 UK volunteers listed for sale on Alibaba
Apple fixes iOS bug that kept deleted notifications, including chat previews
Contributors
Threat Center
Podcast
Glossary
Scams
Malwarebytes – all-in-one cybersecurity protection always by your side.
COMPUTER SECURITY
MOBILE SECURITY
PRIVACY PROTECTION
IDENTITY PROTECTION
LEARN ABOUT CYBERSECURITY
PARTNER WITH MALWAREBYTES
ADDRESS
One Albert Quay
2nd Floor
Cork T12 X8N6
Ireland
2445 Augustine Drive
Suite 550
Santa Clara, CA
USA, 95054
ABOUT MALWAREBYTES
WHY US
GET HELP
Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.
By submitting this form, you consent to Malwarebytes contacting you regarding products and services and using your personal data as described in our Terms of Service and Privacy Policy.
© 2026 All Rights Reserved