Click2SMS Scam: Fake CAPTCHA Challenges Lead to Revenue Fraud

In the digital age, the CAPTCHA has long served as the silent sentry of the internet, a simple gatekeeper designed to differentiate flesh-and-blood users from the encroaching tide of automated bots. However, in a sophisticated pivot that weaponizes user trust, a new wave of cybercrime has transformed this routine security check into a conduit for financial theft. Known as the Click2SMS scam, this operation represents a masterclass in social engineering, technical exploitation, and international revenue fraud. By the time a victim realizes they have been compromised, they may have unknowingly authorized dozens of high-cost international text messages, leaving them with a bloated mobile bill and a compromised sense of security.

The Evolution of the Click2SMS Scam: Beyond the Traditional Phish

Security researchers at Infoblox and other leading threat intelligence firms recently disclosed a massive, coordinated campaign that capitalizes on “click-fatigue”—the psychological phenomenon where users mindlessly click through prompts and verification screens to reach their desired content. Unlike traditional phishing, which seeks to steal login credentials or credit card numbers, the Click2SMS scam targets the user’s mobile billing cycle directly through a mechanism known as International Revenue Share Fraud (IRSF).

The campaign primarily gains traction through malvertising and redirects from typosquatted domains. These domains are carefully crafted to mimic well-known telecommunications brands, streaming services, or adult content sites. Once a user lands on the malicious landing page, usually via a mobile browser, they are met with a familiar “Prove you’re human” challenge. But this is no standard Google reCAPTCHA. Instead of selecting traffic lights or fire hydrants, the user is prompted to interact with buttons labeled with benign technical jargon, such as “Verify Network Speed” or “Check OS Compatibility.”

The Social Engineering Trap

The brilliance of the Click2SMS scam lies in its mimicry of legitimate administrative tasks. Because modern smartphones often require various permissions for network optimization or software updates, a prompt to “Verify Connection” does not immediately trigger alarm bells for the average user. This “veneer of legitimacy” ensures that the victim remains engaged with the site through multiple steps, each one serving as a trigger for a distinct fraudulent transaction.

Technical Deep Dive: How the Exploit Works

Under the hood, the Click2SMS scam leverages standard web technologies in a highly non-standard way. The technical execution relies on the interplay between JavaScript and mobile browser protocol handlers, specifically the sms: URI scheme.

• The JavaScript Trigger: As the victim interacts with the fake CAPTCHA, a background script—often identified in research as makeTrackerDownload.php—is executed. This script is responsible for tracking the user’s progress and sequentially firing off the malicious payloads.
• The SMS Protocol Handler: The script triggers a hidden function that calls the sms: URI scheme (defined in RFC 5724). This scheme is a standard method for web pages to interact with a device’s messaging application. However, while legitimate sites might use it to help a user share a link, the scammers use it to pre-fill a message body and a recipient list without the user’s explicit consent.
• The Encoded Intent: The generated link often contains a list of international premium-rate numbers. When the user clicks “Continue” or “Verify” on the web page, the mobile OS interprets this as a command to open the default SMS app with the message already drafted.

Crucially, the scam does not “send” the text automatically—a feat that modern mobile operating systems like iOS and Android generally prevent for security reasons. Instead, it relies on the user to perform the final “Send” action. Because the user is already in a state of “click-flow,” they often tap the send button reflexively to get back to the “verification” process, not realizing they are sending an international text to a high-cost destination.

Persistence and the “Back-Button Hijacking” Technique

To maximize revenue, the architects of the Click2SMS scam ensure that a single interaction is never enough. They employ a technique known as back-button hijacking to trap the user in a perpetual loop of fraud. This tactic involves manipulating the browser’s history API to prevent the user from navigating away from the malicious page.

The History API Abuse

By using the history.pushState() method, the malicious script injects multiple fake entries into the browser’s history stack. When a frustrated user attempts to press the “Back” button to escape the site, the browser simply navigates to one of these injected states, which are scripted to immediately reload the fraudulent CAPTCHA or redirect the user to a new stage of the scam. This ensures that the user remains on the site long enough to complete a multi-step “verification” process.

The Multi-Step Payload

A typical session observed by researchers involves four distinct “verification” steps. Each step triggers a new SMS intent. By the end of the process, a single victim may have sent over 60 international SMS messages to approximately 50 different premium-rate numbers across 17 countries. Given the high termination fees associated with these numbers, a single 10-minute browsing session can result in charges exceeding $30 to $50, depending on the victim’s mobile carrier and international roaming plan.

The Financial Ecosystem: International Revenue Share Fraud (IRSF)

The Click2SMS scam is the consumer-facing end of a complex global financial crime known as International Revenue Share Fraud. This is not a simple theft of funds; it is a sophisticated exploitation of the global telecommunications settlement process.

1. Premium-Rate Number Acquisition: Fraudsters lease or partner with rogue “Tier-2” or “Tier-3” telecommunications providers in jurisdictions with high termination fees, such as Azerbaijan, Myanmar, and Kazakhstan.
2. The Revenue Share Agreement: The fraudsters enter into an agreement where they receive a percentage of the revenue generated by incoming traffic to these numbers.
3. Traffic Generation: This is where the Click2SMS scam comes in. By tricking thousands of users into sending texts to these numbers, the fraudsters “pump” traffic into the rogue carrier’s network.
4. Settlement: The victim’s home carrier (e.g., a major US or European provider) must pay a “termination fee” to the foreign carrier to deliver the message. A portion of this fee is then kicked back to the fraudsters as a “commission.”

This model is highly attractive to cybercriminals because the “theft” is distributed. The mobile carrier pays the bill initially and then passes the cost on to the consumer. Because international charges often take days or weeks to appear on a billing statement, the fraudsters have ample time to vanish or rotate their infrastructure before the scam is detected.

Attribution and Infrastructure: The Adam Ecotech Connection

Analysis of the Click2SMS scam infrastructure has revealed ties to an extensive affiliate network based in Europe. Many of the malicious domains are hosted on AS15699, a network associated with Adam Ecotech. This infrastructure has a long history of involvement in high-volume “gray” activities, including the distribution of scareware, ad fraud, and traditional malware.

The campaign utilizes a complex Traffic Distribution System (TDS). When a user clicks on a malicious ad, they aren’t sent directly to the scam page. Instead, they are bounced through a series of “nodes”—intermediary servers that check the user’s device type, geographic location, and browser version. If the TDS determines the user is on a mobile device and in a profitable target region, it serves the Click2SMS scam landing page. This filtering process helps the attackers avoid security researchers and automated scanners that typically operate from desktop environments or specific IP ranges.

Mitigation: How to Defend Against Click-Driven Fraud

As the Click2SMS scam continues to evolve, both consumers and telecommunications providers must adopt a multi-layered defense strategy. The primary defense is awareness, but technical safeguards are increasingly necessary to combat the automation used by attackers.

For the Consumer

• Trust No CAPTCHA with SMS: No legitimate security service—be it Google, Cloudflare, or Microsoft—will ever ask a user to open their SMS app or send a text message to “prove they are human.” If a CAPTCHA moves away from image selection or simple clicks toward app interaction, it is a 100% guarantee of fraud.
• Monitor Mobile Billing: Users should regularly check their mobile accounts for unexpected international charges. Most carriers allow users to set “spend caps” or “international blocks” that can prevent these charges from ever being authorized.
• Browser Safety: Use mobile browsers that have strong anti-phishing and anti-redirection protections. If you find yourself trapped by back-button hijacking, the best course of action is to close the tab entirely or force-quit the browser app.

For the Industry

Telecommunications providers are increasingly deploying Next-Generation Firewalls (NGFW) capable of Deep Content Inspection (DCI). By analyzing the patterns of outgoing SMS traffic in real-time, carriers can identify “pumping” activity—where a single device suddenly sends dozens of messages to known high-risk international prefixes—and block the traffic before the charges are finalized.

Furthermore, Google has announced a major policy shift regarding back-button hijacking. Starting in mid-2026, the Chrome browser will explicitly penalize and block sites that interfere with normal navigation, a move that could significantly degrade the effectiveness of the Click2SMS scam‘s persistence mechanisms.

Final Assessment: The Future of Mobile Fraud

The Click2SMS scam is a stark reminder that as our technical defenses improve, human psychology remains the most vulnerable surface. By dressing up a financial heist in the mundane clothes of a CAPTCHA, fraudsters have found a way to bypass the skepticism of even tech-savvy users. As we move further into 2026, the professionalization of these affiliate networks suggests that mobile-centric fraud will only become more surgical and harder to detect. For the modern user, the price of “proving you’re human” should never be a $30 international text message.