Fake CAPTCHA Scam Exploits Global IRSF for SMS Fraud

In the evolving landscape of cybercrime, the most effective weapons are often those that hide in plain sight, masquerading as the very security tools we trust to keep us safe. A sophisticated global operation, recently deconstructed by threat intelligence researchers at Infoblox, has been doing exactly that. By weaponizing a Fake CAPTCHA Scam, threat actors have industrialised International Revenue Share Fraud (IRSF), turning a routine “Verify You Are Human” prompt into a high-speed billing engine that hijacks mobile accounts and drains balances through premium-rate SMS messages.

This is not a simple phishing attempt; it is a meticulously engineered campaign that bridges the gap between traditional telecom fraud and modern web redirection infrastructure. As of late April 2026, researchers have identified at least 120 distinct campaigns operating across 17 different countries, illustrating a scale of coordination that challenges existing mobile and network security paradigms.

The Anatomy of Deception: How the Fake CAPTCHA Scam Operates

The brilliance—and the danger—of the Fake CAPTCHA Scam lies in its exploitation of psychological muscle memory. Users are so accustomed to solving CAPTCHAs to access content that they rarely scrutinise the underlying mechanism. The attack typically begins when a user is lured to a malicious site via typosquatted domains—web addresses that mimic legitimate telecommunications brands—or through deceptive Facebook advertisements featuring deepfake celebrity endorsements and AI-themed investment promises.

Once the victim lands on the fraudulent page, the following technical sequence occurs:

• Step 1: The Lure: The user is presented with a familiar-looking CAPTCHA interface. It may ask the user to “Verify they are human” or answer seemingly innocuous questions about their device (e.g., “Are you using iOS or Android?”) and network type (3G, 4G, or Wi-Fi).
• Step 2: The Script Trigger: Every interaction with the “Verify” or “Next” button triggers a hidden JavaScript function, frequently identified by researchers as makeTrackerDownload.php.
• Step 3: The SMS Hijack: This script does not verify the user’s humanity. Instead, it programmatically invokes the device’s native messaging application. The application opens with a pre-filled list of international phone numbers and a pre-written, often encoded, message.
• Step 4: The Multi-Stage Payload: Unlike simple “Click-to-SMS” scams of the past, this campaign is multi-staged. A single “verification” process can involve four or more steps, with each click triggering a new batch of messages.

By the time a user completes the “security check,” their device may have sent upwards of 60 background SMS messages to over 50 unique international destinations. Because the process is fast and the interface looks professional, many users simply hit “Send” or “Ok” on their phone’s system prompts without realising they are authorizing a financial transaction.

International Revenue Share Fraud (IRSF): The Economic Engine

To understand why attackers go to such lengths to trick users into sending text messages, one must understand the economics of International Revenue Share Fraud (IRSF). This is a form of telecom crime where fraudsters exploit the “termination fees” paid between carriers for routing international traffic.

The attackers lease premium-rate or high-cost international numbers from “shady” or complicit telecom providers. When a victim’s phone sends a message to one of these numbers, the victim’s local carrier must pay a termination fee to the destination carrier. A portion of this fee is then kicked back to the attacker who “owns” the number. The destinations targeted in this Fake CAPTCHA Scam are carefully selected for their high billing rates, including:

• Azerbaijan
• Kazakhstan
• Myanmar
• Egypt
• Premium-rate European ranges

While a single SMS might only cost a few cents, the volume is the goal. In a typical session, a victim can rack up $30.00 or more in charges within minutes. When scaled across 120 campaigns and thousands of victims, the illicit revenue reaches into the millions. Furthermore, this fraud model is particularly resilient because of delayed billing. International roaming and SMS charges often take weeks to appear on a mobile statement. By the time the victim sees the “International SMS” surcharges, they have long forgotten the brief CAPTCHA they encountered while browsing, making it nearly impossible to trace the source or dispute the charges effectively.

The Role of Keitaro TDS and Infrastructure Obfuscation

The sophistication of this Fake CAPTCHA Scam is amplified by the use of complex Traffic Distribution Systems (TDS). Specifically, the threat actors have been observed abusing the Keitaro platform, a legitimate advertising tracker and traffic manager. By utilizing Keitaro, attackers can create “conditional routing flows” that serve as a cloaking layer.

If a security researcher or an automated bot visits the malicious URL, the TDS can detect the source and redirect them to a harmless Wikipedia page or a dead link. However, if a valid mobile user from a targeted geographic region (detected via IP and User-Agent strings) clicks the link, the TDS routes them directly into the fraud funnel. This “gatekeeping” ensures the longevity of the scam by keeping the malicious landing pages hidden from the scanners used by cybersecurity firms.

Researchers have traced these redirection chains through multiple nodes, often passing through commercial advertising networks in Germany and infrastructure hosted on AS15699 (Adam Ecotech), a provider frequently associated with “bulletproof” hosting and grey-market activities. This level of infrastructure layering makes traditional domain-based blacklisting largely ineffective.

Browser Hijacking: Trapping the Victim

To ensure maximum revenue, the Fake CAPTCHA Scam employs a technique known as back button hijacking. Using the JavaScript pushState() method, the scam site manipulates the browser’s history. When a victim realizes something is wrong and attempts to click “Back” to return to safety, the script simply refreshes the current malicious page or moves them to a different stage of the fraud funnel.

This creates a “navigation loop” that traps the user. Frustrated and wanting to reach the content they were originally looking for, many victims choose the path of least resistance: completing the fake verification prompts. This persistence significantly increases the “conversion rate” for the fraudsters, ensuring that once a user enters the TDS funnel, they rarely leave without triggering at least one set of SMS charges.

Technical Indicators and Campaign Statistics

The scale of this operation is documented through several key technical indicators (IoCs) and metrics discovered during the Infoblox investigation:

1. Campaign Volume: Over 120 distinct campaigns active between late 2025 and April 2026.
2. Domain Proliferation: Approximately 13,500 domains associated with Keitaro-related redirection activity.
3. Targeted Countries: Victims and termination numbers spanning 17 countries across Europe, Asia, and the Middle East.
4. Phone Number Pool: Researchers identified a pool of 35 core premium-rate numbers rotated across the campaigns to evade carrier-level blocking.

This data suggests that the threat actors are operating an “affiliate” model. A central group provides the infrastructure—the fake CAPTCHA templates, the Keitaro TDS configurations, and the premium-rate number access—while “affiliates” drive traffic to the lures. This industrialization of fraud mirrors the “Ransomware-as-a-Service” (RaaS) model that has dominated the malware landscape for years.

Defense and Mitigation: How to Neutralize the Threat

Because the Fake CAPTCHA Scam exploits both human psychology and legitimate ad-tech infrastructure, defending against it requires a multi-layered approach. Standard antivirus software is often insufficient, as the attack does not technically involve “malware” in the traditional sense; rather, it is a series of authorized (albeit deceptive) actions.

For Individual Users

• Never Send SMS for Verification: A legitimate CAPTCHA (such as Google’s reCAPTCHA or Cloudflare’s Turnstile) will never ask you to open your messaging app or send a text message to “prove you are human.” If a verification screen triggers your SMS app, close the browser immediately.
• Audit Your Mobile Bill: Review your monthly mobile statements for “International SMS” or “Premium Service” charges. If you find unauthorized charges, contact your carrier immediately to block international messaging.
• Beware of Deepfakes: Be skeptical of Facebook or social media ads featuring celebrity endorsements for AI trading platforms or crypto giveaways. These are the primary entry points for the TDS redirects.

For Organizations and ISPs

• DNS-Level Security: Organizations should implement protective DNS services that can identify and block the lookalike domains and TDS nodes (like those associated with Keitaro abuse) before a user even reaches the landing page.
• Real-Time Traffic Monitoring: Telecom carriers must implement more robust, real-time monitoring for “Artificially Inflated Traffic” (AIT). Large bursts of international SMS messages from a single device to known high-cost destinations should trigger an immediate account freeze or verification request.
• Browser Configuration: Enterprises should enforce browser policies that restrict the use of JavaScript APIs like pushState() on untrusted domains to prevent back button hijacking.

Conclusion: The Future of Mobile Fraud

The emergence of the Fake CAPTCHA Scam as a primary vector for IRSF signals a shift in the cybercriminal’s toolkit. By moving away from credential theft and toward the exploitation of routine web interactions, attackers have found a way to “monetize the mundane.” The use of AI to generate convincing lures and the abuse of sophisticated ad-tracking platforms like Keitaro demonstrate that fraud is no longer the work of isolated hackers, but a global, coordinated industry.

As we move deeper into 2026, the convergence of telecom fraud and web-based social engineering will continue to accelerate. Only through proactive threat intelligence, increased public awareness, and cooperation between the cybersecurity and telecommunications sectors can we hope to dismantle these lucrative “billing engines” and protect the digital economy from this silent, multi-million dollar drain.