Cybersecurity researchers have uncovered a large-scale fraud operation that uses fake CAPTCHA verification pages to trick users into sending international SMS messages, generating illicit revenue for attackers. The campaign is tied to a form of telecom fraud known as international revenue share fraud (IRSF), where victims unknowingly incur charges on their mobile bills while attackers’ profit from termination fees. The activity has reportedly been ongoing since at least 2020 and spans multiple countries.
The scam typically begins when users are redirected to a malicious webpage that displays a fake CAPTCHA prompt asking them to “confirm they are human” by sending a text message. Instead of a standard verification step, the process triggers multiple pre-filled SMS messages to international numbers. In some cases, victims may send up to 60 messages to dozens of numbers across different countries, resulting in charges that can reach around $30 per incident, often appearing weeks later billing statements.
Researchers note that the operation relies heavily on social engineering techniques and browser manipulation tactics such as back-button hijacking. This prevents users from easily leaving the malicious page, increasing the likelihood they complete the fake verification steps. The campaign also uses cookies and tracking mechanisms to guide victims through multiple stages, ensuring maximum message volume and higher profits for the attackers.
In parallel, the investigation revealed that threat actors are abusing a traffic distribution system known as Keitaro to run over 120 malicious campaigns. These campaigns include malware delivery, cryptocurrency scams, and fake investment schemes promoted through deceptive ads and even deepfake celebrity endorsements. The infrastructure allows attackers to route victims through complex redirection chains, making detection and takedown significantly more difficult.
The findings highlight how cybercriminals are combining traditional telecom fraud with modern ad-tech and AI-driven deception methods to scale their operations globally. By exploiting both individuals and telecom providers, these campaigns demonstrate an evolving threat landscape were seemingly harmless online interactions, such as CAPTCHA checks, can be weaponized for financial gain.
