- Infoblox researchers expose long‑running CAPTCHA scam that tricks victims into sending costly international SMS messages
- Victims can unknowingly send dozens of texts, incurring charges while attackers profit through telecom revenue sharing
- The defense is simple: never send a text message to “prove you are human”
Fake CAPTCHAs are not just about copying and pasting links to malware - they can also be about sending an SMS to an international number and being charged a whole lot for the privilege.
Security researchers from Infoblox recently published an in-depth report about an “underreported” type of CAPTCHA scam.
This particular campaign has been active since at least June 2020 and has been tricking people into sending SMS messages through social engineering and browser back button hijacking. During their research, they found 35 phone numbers in 17 different countries.
Multiple SMS messages
"The fake CAPTCHA has multiple steps, and each message crafted by the site is preconfigured with over a dozen phone numbers, meaning the victim isn't charged for just a single message – they're charged for sending SMSs to over 50 international destinations," researchers David Brunsdon and Darby Wise wrote in their report.
One of the reasons why this sort of scam hasn’t been that widely reported is likely because of delayed billing, they added. International SMS charges are only a problem a few weeks later, when the bill arrives, and by then, “the experience with the fake CAPTCHA has been long forgotten.”
Another vital part of the effort are the malicious traffic distribution systems (TDS), which redirect the victim to these landing pages.
Here is how it works: a commercial TDS redirects a victim to a malicious website that requires the person to “confirm they are human” by sending an SMS. When the victim taps the button, the page uses built-in mobile features to open the SMS app with the number and message already filled in. The numbers are leased by the attackers.
The process then continues, and each subsequent step asks for another “confirmation”, triggering multiple SMS messages to different numbers. In the process, the victims may end up sending as many as 60 SMS messages to 15 different numbers, raking up expenses of up to $30. It may not sound like much, but this is a game of large numbers - with thousands of users falling victim, the figures quickly add up.
The victims in this campaign are both the end users and the telecoms, Infoblox concluded. Users, for obvious reasons, and telecoms - by paying revenue share to the perpetrators, as well as by sorting out chargebacks and customer refund requests.
Defending against the scam is simple, however. “Unfortunately, it needs to be said,” Infoblox stressed. “Do not send a text to confirm you are human.”
