Hackers are abusing fake CAPTCHA pages to run a silent but lucrative international SMS fraud scheme, turning routine “prove you’re human” checks into a revenue engine built on international revenue share fraud (IRSF).
Attackers set up lookalike and scam domains that eventually redirect victims through a traffic distribution system (TDS) to a fake CAPTCHA page.
Instead of solving a normal puzzle, users are repeatedly told to “confirm” they are human by sending SMS messages from their own phones. Each CAPTCHA step launches the device’s SMS app with a pre-filled message and a large list of international numbers; all the victim has to do is tap send.
According to the report, the fraud does not rely on challenge difficulty but on volume: in one observed flow, four CAPTCHA steps produced 60 outbound SMS messages in a single “verification.”
Numbers span at least 17 countries, many with high SMS termination fees such as Azerbaijan, Egypt, Myanmar, the Netherlands, and Kazakhstan, maximizing payout per victim session.
Because international SMS charges can appear on bills weeks later, many users never connect the unexpected fees to the forgotten CAPTCHA they completed days earlier.
The scam is powered by IRSF, where criminals register or lease phone numbers in high-fee or lightly regulated destinations and sign revenue‑sharing deals with local carriers.
When a victim sends an international SMS to these numbers, their carrier pays a termination fee to the foreign operator, who then shares a cut with the fraudster controlling the numbers.
Individually, one victim might lose around 30 USD in SMS charges, but scaled across thousands of devices, the operation becomes highly profitable.
Industry data shows this is part of a much bigger problem: artificially inflated traffic (AIT), which includes IRSF-generated messaging traffic, is now ranked as the most financially damaging form of messaging fraud worldwide, with around half of telecom carriers reporting high financial losses and high fraudulent traffic volumes.
For telecoms, the impact is twofold: they pay out revenue share to bad actors and often absorb the cost of refunds after customers dispute the charges.
To hide the scam and maximize conversions, the campaign leans heavily on commercial TDS infrastructure commonly used to push scareware, ad fraud, and malware.
In one observed chain, a typosquatted telecom domain redirected through multiple TDS nodes before landing on a fake CAPTCHA and finally a scam “gaming” or adult-content site that continues triggering SMS messages with every click.
Campaign and affiliate parameters in the URLs and cookies (such as product IDs and affiliate codes) show this SMS scam is just one product inside a larger Click2SMS affiliate ecosystem.
The actors also deploy dedicated JavaScript for back button hijacking, manipulating browser history so users cannot easily navigate away from the fake CAPTCHA.
When the victim presses back, the script pushes a new history entry and silently reloads another scam page, trapping users in a loop unless they close the browser entirely.
Google has now explicitly classified back button hijacking as a “malicious practice” in its spam policies and plans to penalize sites that interfere with normal back navigation starting in mid‑2026.
The infrastructure uses cookies and URL parameters to track user attributes such as country, language, ISP, device type, and campaign identifiers.
Cookie values include long lists of “valid products” and a successRate flag that client‑side code uses to decide whether to keep a user in the SMS funnel or redirect them to a different fake CAPTCHA controlled by another actor.
DNS patterns show that dozens of domains and subdomains follow repeatable naming themes (e.g., “chat,” “vids,” “tips,” and pseudo-random word pairs) and are clustered on a small set of IPs in AS15699 (Adam EcoTech) with common registrars and DNS providers, indicating a stable, long‑running operation dating back to at least mid‑2020.
To maintain plausible deniability, the pages add misleading “terms of service” at the bottom, telling users to check prices for international SMS without disclosing that each step sends messages to dozens of foreign numbers.
Combined with TDS‑driven distribution across many countries and carriers, this fragmentation makes it difficult for any single operator or regulator to see the full fraud picture, allowing the scheme to run largely undetected for years.
For telecoms and enterprises, closer monitoring of unusual international SMS spikes, cross‑carrier sharing of IRSF indicators, and detection of TDS‑driven traffic chains are critical to disrupting this new blend of fake CAPTCHAs, SMS fraud, and adtech abuse.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
Hot this week
GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.
Company
Trending
Categories
Copyright @ 2016 – 2026 GBHackers On Security – All Rights Reserved