Fake CAPTCHA Scam Exposed: Cybercriminals Exploit SMS Verification to Drive Global Telecom Fraud

CyberDefender 7 mins0

CAPTCHAs have long served as a frontline defense against bots, asking users to identify traffic lights or distorted text. However, threat actors are now exploiting this familiarity to execute sophisticated fraud schemes. One emerging tactic involves fake CAPTCHA pages that trick users into sending SMS messages—unknowingly participating in International Revenue Share Fraud (IRSF).

Unlike traditional phishing attacks, this method leverages user trust in verification systems. Instead of stealing credentials directly, attackers monetize user actions through telecom billing systems. Victims are prompted to “verify” themselves by sending SMS messages, which are routed to premium international numbers controlled by fraudsters.

Initial observed redirection chain leading to fake a CAPTCHA page

Understanding the IRSF Mechanism

IRSF is a telecom fraud model where attackers profit from international SMS or call termination fees. When a user sends an SMS abroad, their carrier pays a fee to the destination network. Fraudsters exploit this by:

  • Registering premium-rate numbers in high-cost regions (e.g., Azerbaijan, Myanmar)
  • Partnering with telecom providers under revenue-sharing agreements
  • Driving traffic to these numbers using deceptive techniques

Each SMS sent generates a small payout—but at scale, this becomes highly lucrative.

Anatomy of the Fake CAPTCHA Attack

This campaign uses a multi-stage CAPTCHA flow designed to maximize SMS volume rather than validate human interaction.

Step-by-Step Flow

  1. User lands on a fake CAPTCHA page
  2. They are prompted with simple verification questions
  3. Each step triggers:
    • A JavaScript API call (makeTrackerDownload.php)
    • Retrieval of multiple international phone numbers
    • Launch of the SMS app with pre-filled recipients and messages
  4. User sends the SMS (often unknowingly to dozens of numbers)
  5. Process repeats across multiple steps

In observed cases:

  • ~15 numbers per step
  • 4 steps total
  • ≈60 SMS messages sent
  • Estimated cost: ~$30 per victim

Traffic Distribution Systems (TDS): The Hidden Engine

Victims rarely land on these pages directly. Instead, they are funneled through Traffic Distribution Systems (TDS)—infrastructure commonly used in adtech and cybercrime.

Redirection Chain Example

  • User visits a spoofed telecom domain
  • Redirected through multiple TDS nodes
  • Final destination: fake CAPTCHA page
  • Post-verification redirect to a “benign” site (often gaming/adult content)

TDS enables:

  • Precise targeting (location, device, ISP)
  • Evasion of detection systems
  • Affiliate-based monetization

Advanced Evasion and Persistence Techniques

1. Back Button Hijacking

Attackers manipulate browser history using pushState():

  • Prevents users from navigating away
  • Forces them back into the CAPTCHA loop
  • Increases likelihood of SMS interaction

2. Dynamic Command-and-Control (C2)

Server-side parameters allow real-time control:

  • forceRedirectURL: reroutes traffic dynamically
  • forceMessage: modifies SMS content without updating code

3. Cookie-Based Targeting

Cookies store:

  • Geolocation
  • ISP data
  • Device type
  • “Success rate” scoring

Users deemed less profitable are redirected to alternate campaigns.

Infrastructure and Global Reach

The operation spans:

  • 17 countries
  • 35+ phone numbers
  • Hosting on ASN infrastructure (e.g., Adam EcoTech)

Domains follow patterns like:

  • Randomized strings (e.g., paired word combinations)
  • Content-themed subdomains (chat, vids, tips)

Affiliate tracking codes ({af}) embedded in SMS messages indicate large-scale campaign coordination.

Why This Scam Is So Effective

  • Delayed billing: Charges appear weeks later
  • Low friction: Simple CAPTCHA tasks reduce suspicion
  • Distributed infrastructure: Hard to trace or block globally
  • Legal misdirection: Fine-print disclaimers shift responsibility to users

Our Opinion: A Convergence of Telecom and Adtech Abuse

This campaign highlights a critical shift in cybercrime—where traditional telecom fraud intersects with modern adtech ecosystems. The use of TDS infrastructure, typically associated with advertising optimization, to distribute IRSF scams represents a dangerous evolution. It blurs the line between legitimate traffic monetization and outright fraud.

What makes this particularly concerning is the scalability. Affiliate networks, often operating in regulatory gray zones, enable bad actors to plug into existing ecosystems without building infrastructure from scratch. This lowers the barrier to entry and accelerates the spread of such campaigns.

Equally troubling is the user experience design. By mimicking familiar CAPTCHA workflows, attackers exploit behavioral trust rather than technical vulnerabilities. This means even security-aware users can fall victim.

From a defensive standpoint, this calls for stronger collaboration between telecom providers, browser vendors, and ad networks. Blocking domains alone is insufficient—detection must extend to behavioral patterns like SMS triggering and back-button manipulation.

Ultimately, this is not just a fraud problem—it’s an ecosystem problem. Until accountability is enforced across all participating layers, such campaigns will continue to thrive.

Final Takeaway

If a website asks you to send an SMS to prove you’re human—it’s a scam.

CyberDefender