.webp)
๐ฏBasically, hackers create fake CAPTCHA pages to trick you into sending expensive texts without your knowledge.
What Happened
Cybercriminals have discovered a way to exploit CAPTCHA tests, commonly used online to verify human users. They create fake CAPTCHA pages that trick unsuspecting users into sending paid international SMS messages. This scheme, known as International Revenue Share Fraud (IRSF), has been active since at least June 2020.
How the Scam Works
When users land on these fake CAPTCHA pages, they are prompted to send an SMS message to prove they are human. However, these messages are sent to phone numbers in countries with high termination fees, such as Azerbaijan, Egypt, and Myanmar. Each text generates revenue for the fraudsters, who have arrangements with local telecom carriers. Victims often only realize the damage weeks later when they see unexpected charges on their bills.
Who's Being Targeted
The victims of this fraud can be anyone who encounters these fake CAPTCHA pages, which can appear on lookalike domains of legitimate services. Infoblox Threat Intel researchers found that a single interaction with one of these pages can trigger as many as 60 international SMS messages, costing victims around $30 in one session. While this may seem small, the potential scale across millions of users makes it highly profitable for the attackers.
Technical Mechanism
The design of these fake CAPTCHA pages is deceptively simple yet effective. When users answer the CAPTCHA prompts, JavaScript communicates with the attacker's server, which sends back a list of international phone numbers and a pre-written message. This process opens the messaging app on the victim's phone with the numbers and text already filled in, requiring just a tap to send.
Additionally, the campaign employs back button hijacking, preventing users from leaving the page easily. If a user attempts to go back, they are redirected to the CAPTCHA page again, trapping them in a loop of sending messages until they force-close their browser.
What You Should Do
To protect yourself from falling victim to this scam: By staying vigilant and informed, users can help protect themselves from this growing fraud scheme.
Identify
- 1.Never send an SMS as part of a CAPTCHA verification process. Legitimate services do not require this.
- 2.Monitor your phone bill regularly for unexpected international SMS charges.
- 3.If you notice any unusual charges, contact your carrier immediately.
Protect
- 4.Organizations should utilize DNS security tools to detect and block known TDS and malicious redirect domains.
- 5.Telecom providers should implement real-time monitoring to identify and block inflated SMS traffic.
๐ Pro insight: This IRSF scheme highlights the need for enhanced user education on verification processes to mitigate telecom fraud risks.
