Fake CAPTCHA scam makes phones send costly international SMS
Fake CAPTCHA pages prompt users to open their SMS app, sending dozens of international texts in the background and generating high charges in an International Revenue Share Fraud scheme.
Researchers documented a campaign that lures mobile users to web pages that mimic image‑selection or quiz CAPTCHAs. The pages prompt visitors to tap a button that opens the phone’s messaging app with a prefilled message and a long recipient list. When users send those messages, the activity generates international SMS charges.
Victims typically arrive via malvertising and traffic‑distribution redirects, often from domains that imitate telecom companies. Each prefilled message is configured to send to more than a dozen numbers across about 17 countries with high termination fees, including Azerbaijan, Myanmar and Egypt. The fake CAPTCHA sequence runs through multiple steps, with each step triggering additional messages. On a typical consumer plan, those sends can add roughly $30 to an individual bill.
The pages use JavaScript to rewrite browser history so the back button returns users to the scam page instead of letting them leave. The operation is linked to an affiliate network that advertises Click2SMS and carrier billing options, converting termination fees into revenue shares for operators and publishers.
The scheme does not require installation of malware, allowing ordinary web traffic to be converted into paid SMS traffic without leaving a traditional infection footprint. Consumers receive unexpected premium international SMS charges that can be difficult to trace. Carriers may incur termination costs and face disputes or chargebacks.
Researchers note that legitimate CAPTCHAs run entirely in the browser and do not open a phone’s SMS or dialer app. Mobile users should check bills for unfamiliar international SMS charges and contact their provider to dispute suspicious items or to block international and premium SMS services. Mobile security tools that block known malicious sites can reduce exposure.
Domains tied to the campaign include sweeffg[.]online, colnsdital[.]com, zawsterris[.]com, megaplaylive[.]com and ruelomamuy[.]com. One observed domain, ruelomamuy[.]com, is blocked by some security vendors.
International Revenue Share Fraud, also called SMS pumping, inflates message volume to destinations with high termination fees and routes a share of those fees back to operators through affiliate and carrier billing arrangements.
