Fake CAPTCHA Scams Exploit Verification Clicks for International SMS Spam
International Text Message Scam Uses Fake CAPTCHAs to Drain Bank Accounts
A sophisticated cybercrime operation has been uncovered by security researchers at Infoblox, revealing a long-running scheme that has been secretly depleting bank accounts since at least June 2020.
The Scam’s Modus Operandi:
The scam leverages fake CAPTCHA pages to facilitate a type of cybercrime known as International Revenue Share Fraud (IRSF).
- Victims are initially directed to visit a typosquatted domain, which appears to be a legitimate telecommunications brand.
- Once landed on the wrong page, users are guided toward a complex Traffic Distribution System (TDS).
- In one instance observed by researchers in March 2026, the redirection chain led through multiple nodes, including a German commercial advertising network, before reaching a landing page under the control of the scammers.
Fake CAPTCHA Pages:
The fake CAPTCHA page presents users with innocuous questions about their device type (iOS or Android) or network speed (4G or WiFi).
Upon completing the four-step verification process, victims may inadvertently send up to 60 messages to over 50 distinct destinations across 17 countries, resulting in substantial costs due to high termination fees.
Preventing the Scam:
To prevent users from exiting the malicious loop, scammers employ back button hijacking, a technique prohibited by Google.
Further analysis revealed that the same systems employed for spreading malware and scareware are now being utilized to industrialize phone fraud.
Security Experts’ Warning:
Legitimate security checks will never necessitate users to send text messages to verify their identities.
About Author
English