Fake CAPTCHA Scam Abuses Verification Clicks to Send Costly International Texts

The emergence of fake CAPTCHA scams underscores a new frontier in International Revenue Share Fraud, where attackers weaponize ordinary web verification flows to monetize mobile messaging. By leveraging typosquatted domains that mimic reputable telecom brands, fraudsters lure unsuspecting users into a multi‑step verification that silently activates a JavaScript payload. This payload opens the native SMS client, pre‑populating messages to dozens of premium‑rate numbers across high‑termination‑fee jurisdictions such as Azerbaijan and Myanmar. The model is attractive to cybercriminals because each successful session can generate $30 or more, while the delayed appearance on phone bills hampers timely detection and dispute.

Technical analysis reveals a sophisticated traffic distribution system (TDS) that routes victims through advertising networks before reaching the scam landing page. The use of back‑button hijacking—once a common browser exploit now banned by Google—keeps users trapped in a loop, ensuring the SMS cascade completes before they can navigate away. This persistence amplifies revenue per victim and demonstrates how legacy web‑based attack techniques are being repurposed for mobile fraud. Infoblox’s attribution to an affiliate of a European Click2SMS network, operating on AS15699, highlights the cross‑border nature of the infrastructure and the challenge of jurisdictional enforcement.

For businesses and telecom operators, the incident signals a need to strengthen validation of CAPTCHA implementations and monitor atypical SMS traffic patterns. Deploying real‑time analytics that flag sudden spikes in outbound international messages can help mitigate financial loss. Moreover, educating end‑users about the impossibility of legitimate CAPTCHAs requiring SMS confirmation is essential. As cybercriminals continue to blend web and mobile attack vectors, a coordinated response that spans browser security, carrier fraud detection, and user awareness will be critical to curbing this evolving threat.