A fake CAPTCHA scam tricks mobile users into triggering dozens of international SMS messages, costing roughly 0 per victim through revenue share fraud.
A newly documented scam campaign is using fake CAPTCHA pages to silently trigger dozens of international SMS messages from victims’ mobile phones, leaving them with unexpected charges. Malwarebytes analyst Pieter Arntz identified the operation as an International Revenue Share Fraud (IRSF) scheme, more commonly known as SMS pumping fraud, where inflated SMS volumes to high-fee international destinations generate kickbacks for attackers through telecom revenue-sharing agreements.
Victims arrive at these fake CAPTCHA pages through malvertising or Traffic Distribution System (TDS) redirects, often originating from typosquatted telecom domains. The page presents a standard image-selection CAPTCHA, but when the user taps “continue,” their phone’s native SMS app opens with messages pre-filled for more than a dozen international numbers across 17 countries known for high termination fees, including Azerbaijan, Myanmar, and Egypt. Attackers use back-button hijacking via JavaScript to trap users on the page, rewriting browser history so pressing back just reloads the scam.
The scheme does not rely on malware or device compromise. Instead, it exploits how telecom billing systems and affiliate networks operate, quietly converting ordinary web traffic into premium SMS revenue. Each victim can incur roughly $30 in international SMS charges on a standard consumer plan. The campaign connects to a Click2SMS-style affiliate network that openly advertises accepting “all kinds of traffic,” effectively packaging IRSF as a revenue tool for shady web publishers.
Users should never send an SMS to verify identity online, as legitimate CAPTCHA systems work entirely within the browser. Mobile subscribers should review bills regularly for small unfamiliar international charges and consider blocking international or premium SMS if not needed. Known malicious domains include sweeffg[.]online, colnsdital[.]com, zawsterris[.]com, megaplaylive[.]com, and ruelomamuy[.]com.
Source: Cyber Security News — New Fake CAPTCHA Campaign Uses SMS Pumping Fraud to Run Up Victims Pho
