Fake CAPTCHA Scam Drives Global SMS Fraud

Meta Description

Fake CAPTCHA scams are abusing SMS, IRSF, and Keitaro TDS campaigns to drive telecom fraud, crypto theft, and social engineering attacks.

Introduction

CAPTCHA pages are supposed to help separate humans from bots.

That simple trust mechanism is now being weaponized.

A newly reported fake CAPTCHA campaign shows how threat actors are tricking users into sending international SMS messages as part of a broader international revenue share fraud operation. Instead of proving they are human, victims are pushed into sending costly text messages to attacker-controlled phone numbers.

The campaign is especially concerning because it combines several threat techniques into one fraud ecosystem:

• Fake CAPTCHA pages
• Social engineering
• International revenue share fraud
• Traffic distribution systems
• Back button hijacking
• SMS abuse
• Crypto scam redirection
• Keitaro TDS infrastructure abuse

This is not a traditional malware infection.

There is no confirmed CVE involved.

There is no ransomware payload described in the reporting.

The attack works because users are manipulated into performing the harmful action themselves.

That makes the campaign difficult to detect, difficult to explain to victims, and highly scalable for fraud groups.

For companies, telecom providers, mobile users, and security teams, this incident is a reminder that social engineering does not always arrive as an email attachment or fake login page.

Sometimes it arrives as a simple instruction:

Send this SMS to prove you are human.

What Happened

Cybersecurity researchers disclosed a global fraud operation that uses fake CAPTCHA pages to trick users into sending international SMS messages.

The campaign is tied to international revenue share fraud, commonly known as IRSF.

In an IRSF scheme, threat actors use international premium rate numbers or high-cost destinations to generate revenue. When victims send SMS messages or place calls to those numbers, telecom carriers pay termination fees. A portion of that revenue can then be shared with the fraud operators or the parties controlling the number ranges.

In this campaign, users are redirected through traffic distribution infrastructure to fake CAPTCHA pages.

The fake CAPTCHA does not simply ask users to click images or type text.

Instead, it instructs them to send SMS messages to confirm they are human.

The process reportedly uses multiple stages. Each stage can trigger SMS messages to several international numbers. In one observed case, the process generated as many as 60 SMS messages across 15 unique numbers.

The result can be unexpected international SMS charges on the victim’s phone bill.

The campaign reportedly used phone numbers across 17 countries, including destinations associated with high termination fees or weak regulatory enforcement.

Researchers also connected the activity to broader traffic distribution system abuse, including more than 120 campaigns abusing Keitaro TDS infrastructure for malicious activity such as crypto wallet drainers, fake airdrops, giveaway scams, and AI-themed investment fraud.

Why This Issue Is Critical

This issue is critical because it turns a familiar security experience into a fraud mechanism.

Users are trained to complete CAPTCHAs.

They see them on login pages, payment forms, online stores, portals, and cloud services.

That familiarity makes the scam more convincing.

The attacker does not need to compromise the phone.

They do not need to exploit a mobile operating system vulnerability.

They do not need to bypass app store security.

They only need the victim to believe the fake CAPTCHA instruction.

That is what makes this campaign dangerous.

The fraud also benefits from delayed billing. International SMS charges may not appear immediately. By the time the victim notices the cost, they may not remember the CAPTCHA interaction that caused it.

This delay helps attackers avoid immediate detection and user reporting.

For telecom providers, the issue is also serious.

The fraud can affect both individuals and carriers. Victims may dispute charges, while carriers may absorb financial losses or pay revenue shares into fraudulent traffic paths.

For security teams, the campaign demonstrates how traffic distribution systems can be abused beyond malware and phishing.

TDS infrastructure can route users to different destinations based on device type, geography, browser behavior, user quality, campaign parameters, and detection risk.

That makes malicious campaigns harder to track and block.

What Caused the Issue

The campaign was caused by the convergence of social engineering, telecom monetization abuse, and malicious traffic routing.

There is no confirmed software vulnerability or CVE behind the campaign.

The key causes include:

Fake CAPTCHA Social Engineering

The attacker uses a familiar verification pattern to lower suspicion.

Victims are told they must send SMS messages to prove they are real users.

International Revenue Share Fraud

Threat actors use phone numbers in countries or number ranges where SMS termination fees can generate revenue.

The more messages victims send, the more potential revenue the fraud ecosystem can generate.

Traffic Distribution System Abuse

Traffic distribution systems route users through chains of domains and redirects.

This allows threat actors to filter traffic, hide landing pages, avoid researchers, and send different users to different destinations.

Back Button Hijacking

The campaign reportedly uses browser history manipulation to trap users on the fake CAPTCHA page.

When a user presses the back button, they may be redirected back into the malicious page instead of leaving safely.

Affiliate-Style Fraud Infrastructure

The campaign appears to use campaign tracking parameters, affiliate codes, and TDS routing logic.

This suggests a monetized ecosystem where traffic, phone numbers, and landing pages work together.

Keitaro TDS Abuse

Keitaro is a legitimate advertising performance tracker, but threat actors can abuse TDS functionality for malicious routing, cloaking, traffic filtering, and scam delivery.

That makes the issue a platform-abuse problem rather than a vulnerability in one user device.

How the Attack Chain Works

The fake CAPTCHA scam follows a fraud-driven attack chain.

It is designed to manipulate user behavior and monetize SMS traffic.

Initial Traffic Acquisition

The victim lands on a suspicious domain, typo-squatted website, ad-driven page, compromised redirect, or traffic broker path.

This may happen through ads, spam links, fake content sites, or deceptive campaign infrastructure.

TDS Redirection

The user is passed through a traffic distribution system.

The TDS evaluates the visitor based on device, region, browser, campaign identifiers, and other parameters.

If the user appears valuable, they are routed toward the fake CAPTCHA scam.

If not, they may be sent somewhere else.

Fake CAPTCHA Presentation

The user sees a page that appears to be a verification challenge.

The design mimics familiar CAPTCHA behavior, but the required action is unusual:

Send an SMS to continue.

SMS App Launch

The page uses mobile behavior to launch the user’s SMS application with pre-filled message content and attacker-supplied phone numbers.

The user may only need to press send.

Multi-Step Verification Loop

The fake CAPTCHA presents several steps.

Each step can trigger additional SMS messages to multiple numbers.

This increases the total number of international messages sent by the victim.

Billing Impact

The victim may later see unexpected international SMS charges.

Because the billing delay may be weeks, the victim may not connect the charges to the fake CAPTCHA page.

Revenue Generation

Fraud operators benefit from the international SMS termination fee structure and revenue-sharing arrangements linked to the destination numbers.

Why This Incident Matters for Cybersecurity

This incident matters because it shows how cybercrime continues to blend technical infrastructure with human manipulation.

The campaign does not rely on a classic exploit.

It relies on trust.

Users trust CAPTCHA pages.

Advertisers trust traffic platforms.

Mobile users trust pre-filled SMS workflows.

Telecom networks trust billing and termination systems.

Threat actors abuse those trust relationships.

That is the pattern modern defenders must understand.

Many attacks now succeed by combining legitimate tools, familiar interfaces, and monetized infrastructure.

A fake CAPTCHA may look harmless.

A TDS may look like ad tracking.

A pre-filled SMS may look like a verification step.

A crypto airdrop may look like a promotional campaign.

Individually, each element may seem ordinary. Together, they become a scalable fraud machine.

This also matters because Keitaro TDS abuse shows how legitimate marketing technology can be repurposed by threat actors.

Traffic routing, cloaking, geofencing, campaign analytics, and conditional redirects are useful for advertisers. They are also useful for attackers who want to hide scams from defenders and deliver different content to different users.

That makes abuse harder to detect.

Common Risks Highlighted by the Incident

This campaign highlights several important cybersecurity and fraud risks.

Fake CAPTCHA Abuse

Users are increasingly exposed to fake verification pages that push unsafe actions.

These may include SMS fraud, ClickFix malware, malicious downloads, browser notification abuse, or phishing.

IRSF Telecom Fraud

International revenue share fraud can create direct financial losses for victims and carriers.

Small charges per user can become large profits at scale.

TDS-Based Cloaking

Traffic distribution systems allow attackers to hide landing pages from researchers, scanners, and security vendors.

Back Button Hijacking

Browser navigation manipulation can trap victims on scam pages and increase interaction rates.

Crypto Wallet Drainers

Keitaro-linked campaigns reportedly promoted cryptocurrency wallet-drainer schemes, fake airdrops, and giveaway lures.

AI Investment Scam Abuse

Fraudsters are using AI-themed language, fake celebrity endorsements, and synthetic videos to make investment scams more believable.

Delayed Detection

Victims may not notice SMS charges until weeks later.

Security teams may not see the activity if it happens outside corporate networks or on personal devices.

Brand and Ad Abuse

Fraud actors can use lookalike domains, fake ads, and deceptive landing pages to exploit brand trust.

Potential Impact on Organizations

Although this campaign primarily targets individuals and mobile users, organizations should not ignore it.

The business impact can include:

• Employees exposed to SMS fraud on corporate mobile devices
• Unexpected mobile billing costs
• Increased help desk tickets
• Exposure to related phishing or malware campaigns
• Brand impersonation through fake ads or typo-squatted domains
• Customer trust damage if company names are abused in lures
• Fraud against telecom providers and mobile carriers
• Increased risk from crypto wallet-drainer campaigns
• Social engineering awareness gaps
• Weak mobile threat visibility

For companies with bring-your-own-device environments, the risk can be harder to manage.

Employees may access corporate resources and personal browsing from the same mobile device. If they encounter fake CAPTCHA scams, crypto scams, or malicious redirects, the organization may have limited visibility.

For telecom providers, the impact is more direct.

IRSF campaigns can create large financial losses through artificially inflated SMS traffic, customer disputes, chargebacks, and fraudulent termination fees.

For cryptocurrency users and companies involved in Web3, the Keitaro-linked wallet-drainer activity creates another risk layer.

Fake airdrops and giveaway scams can quickly lead to wallet compromise and asset theft.

What Organisations Should Do Now

Organizations should use this campaign as a prompt to review mobile security, social engineering awareness, DNS security, and fraud detection.

Recommended actions include:

• Educate employees never to send SMS messages to prove they are human
• Add fake CAPTCHA scenarios to security awareness training
• Monitor corporate mobile billing for unusual international SMS charges
• Block suspicious domains associated with known TDS infrastructure
• Use DNS-layer security to disrupt malicious redirect chains
• Review mobile device management controls
• Restrict unnecessary international SMS capabilities where feasible
• Warn employees about fake airdrops and crypto giveaway scams
• Review brand protection monitoring for typo-squatted domains
• Monitor for fake ads impersonating the organization
• Train users to close browser tabs instead of using the back button when trapped
• Review secure web gateway logs for suspicious redirect chains
• Include mobile fraud scenarios in incident response playbooks
• Coordinate with telecom providers on SMS anomaly detection

Organizations should also reinforce one simple user rule:

A real CAPTCHA should not require sending international SMS messages.

If a page asks for that, users should close it immediately.

Detection and Monitoring Strategies

Detection should focus on DNS, mobile billing, web traffic, and user-reported fraud.

Security teams should monitor for:

• Unexpected international SMS charges
• Bursts of SMS messages to foreign numbers
• User reports of fake CAPTCHA pages
• Browser redirects through suspicious domains
• Traffic to known TDS infrastructure
• Repeated redirects through short-lived domains
• Suspicious ad-driven landing pages
• New typo-squatted domains targeting the company
• Fake investment sites using company or executive names
• Crypto wallet-drainer domains
• High-risk DNS queries linked to scam infrastructure
• Back button hijacking complaints from users
• Mobile devices launching SMS apps from browser sessions

Security tools that may help include:

• DNS filtering
• Secure web gateways
• Mobile threat defense
• Endpoint detection and response
• CASB and browser security tools
• Brand monitoring platforms
• Telecom fraud monitoring
• SIEM correlation
• Threat intelligence feeds
• Ad fraud monitoring

For telecom providers, detection should include:

• Abnormal SMS volumes to high-risk countries
• Sudden spikes in traffic to premium-rate ranges
• Repeated low-volume charges across many customers
• Unusual traffic linked to specific URL campaigns
• Destination numbers associated with fraud complaints
• Correlation between web lures and SMS traffic

For crypto-related scam detection, teams should monitor:

• Fake airdrop domains
• Wallet-drainer landing pages
• Unauthorized wallet connection prompts
• Fake celebrity endorsement campaigns
• Social media ads promoting unrealistic returns
• Deepfake investment videos
• Lookalike domains imitating legitimate platforms

The Role of Incident Response Planning

This campaign reinforces that incident response planning should include fraud, mobile devices, and social engineering operations.

Many organizations prepare for ransomware, phishing, endpoint compromise, and cloud account takeover.

Fewer prepare for SMS fraud, malicious ad redirects, fake CAPTCHA scams, or crypto wallet-drainer exposure.

A modern response plan should define:

• How employees report fake CAPTCHA scams
• How mobile billing anomalies are investigated
• How corporate mobile devices are reviewed
• When international SMS blocking should be considered
• How suspicious domains are blocked
• How threat intelligence is shared internally
• How brand impersonation is escalated
• How telecom providers are contacted
• How finance teams handle billing disputes
• How users are warned during active campaigns
• How mobile and DNS logs are preserved
• How phishing and fraud cases are tracked together

The response should also clarify what to do when users are trapped in browser loops.

Employees should know to close the tab, close the browser, or restart the browser session rather than repeatedly pressing the back button.

That simple behavior can reduce further interaction with malicious pages.

The Role of Penetration Testing

Penetration testing can help organizations understand how fraud campaigns, redirect chains, and social engineering lures could affect employees and customers.

For this type of threat, testing should go beyond traditional network exploitation.

A strong assessment can examine:

• Employee susceptibility to fake CAPTCHA lures
• Mobile browser security controls
• DNS filtering effectiveness
• Secure web gateway detection
• Ability to block known TDS domains
• Detection of suspicious redirect chains
• Brand impersonation exposure
• Ad-driven phishing risk
• Mobile device management gaps
• User reporting processes
• Incident response readiness for fraud campaigns

A red team exercise can simulate a realistic social engineering chain.

For example:

• A user receives a link through an ad or message
• The link redirects through a TDS
• The landing page presents a fake verification page
• The user is asked to complete an unsafe action
• Security controls are tested for detection and blocking
• The help desk process is tested for user reporting
• The SOC measures response speed and containment

This kind of testing helps answer a practical question:

Would the organization detect and respond before the scam spreads?

Penetration testing can also help evaluate whether employees understand the difference between legitimate verification and suspicious requests.

No employee should ever be asked to send an SMS, run a command, paste code, install software, or connect a crypto wallet to prove they are human.

Protection and Mitigation Measures

Organizations should use layered protections to reduce exposure to fake CAPTCHA scams and TDS-driven fraud.

Train Users on Fake CAPTCHA Scams

Security awareness should include fake CAPTCHA examples.

Employees should know that CAPTCHA pages should not request SMS messages, command execution, software installation, browser notification approval, or wallet connections.

Block Malicious Domains

Use DNS-layer security, secure web gateways, and threat intelligence feeds to block known scam domains and TDS infrastructure.

Monitor Mobile Billing

Corporate mobile programs should monitor for unexpected international SMS charges and unusual message patterns.

Restrict International SMS Where Practical

If employees do not need international SMS capabilities, consider restrictions or carrier-level controls.

Use Mobile Threat Defense

Mobile security tools can help detect malicious redirects, unsafe domains, and suspicious browser behavior.

Harden Browser Security

Browsers and web gateways should be configured to reduce exposure to malicious redirects, pop-ups, and abusive browser behaviors.

Improve Brand Monitoring

Organizations should monitor for typo-squatted domains, fake ads, fake investment sites, and impersonation campaigns.

Educate Crypto Users

Users should be warned about fake airdrops, wallet-drainer sites, deepfake investment videos, and AI-themed investment scams.

Coordinate With Telecom Providers

Telecom providers can help investigate suspicious SMS charges, high-risk number ranges, and fraud patterns.

Test Detection Controls

Run controlled assessments to confirm that DNS filtering, web gateways, and mobile security tools detect suspicious redirect chains.

Suggested Internal Links

Add internal links naturally in these sections:

• Link “penetration testing” to the Digital Warfare Penetration Testing Services page
• Link “vulnerability assessment” to the Digital Warfare Vulnerability Assessment page
• Link “incident response” to the Digital Warfare Incident Response page
• Link “cloud security testing” only if discussing SaaS or cloud-hosted fraud infrastructure
• Link “web application penetration testing” if discussing malicious landing pages, redirect chains, or user-facing web exposure
• Link “cybersecurity blog” to the Digital Warfare blog archive for related social engineering and fraud analysis

Suggested placement examples:

In the “The Role of Penetration Testing” section, link the first mention of penetration testing.

In the “What Organisations Should Do Now” section, link vulnerability assessment.

In the “The Role of Incident Response Planning” section, link incident response.

In the “Protection and Mitigation Measures” section, link web application penetration testing when discussing redirect chains and malicious landing pages.

Key Takeaway

The fake CAPTCHA IRSF campaign shows how attackers can turn a familiar verification step into a global fraud mechanism.

By combining fake CAPTCHA pages, international SMS revenue abuse, traffic distribution systems, and back button hijacking, threat actors can trick users into sending costly messages to attacker-controlled numbers.

The Keitaro TDS abuse findings expand the risk further.

Traffic distribution systems are being used to support crypto wallet drainers, fake airdrops, AI-themed investment scams, and large-scale malicious campaign routing.

There is no CVE behind this campaign.

That does not make it less important.

The risk comes from deception, infrastructure abuse, telecom monetization, and user manipulation.

Organizations should train users, monitor mobile billing, block suspicious domains, review DNS-layer controls, prepare fraud response playbooks, and include fake CAPTCHA scenarios in penetration testing.

The message is simple:

A real CAPTCHA should verify a user.

It should never ask the user to send international SMS messages, connect a crypto wallet, install software, or perform an action that creates financial or security risk.