Fake CAPTCHA campaign uses SMS pumping fraud to run up mobile bills
6 min. read 
Published on
A fake CAPTCHA campaign is tricking mobile users into sending international SMS messages that can add unexpected charges to their phone bills.
The scam does not install malware or take full control of the phone. Instead, it uses social engineering, web redirects, and telecom billing rules to turn a routine “prove you are human” step into revenue for fraud operators.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Researchers say one completed flow can trigger up to 60 international SMS messages across 15 numbers, with possible charges of about $30 on a standard consumer plan.
How the fake CAPTCHA scam works
The attack starts when users land on a fake CAPTCHA page after clicking through malvertising, traffic distribution systems, or typosquatted telecom-looking domains.
The page looks like a normal verification step. It may show image-selection prompts or simple quiz-style screens that users already associate with legitimate CAPTCHA checks.
When the user taps the continue button, the phone’s SMS app opens with a message and recipient list already filled in. The user still has to send the message, but the page makes the action look like part of the verification process.
At a glance
| Category | Details |
|---|---|
| Threat type | Fake CAPTCHA and SMS pumping fraud |
| Fraud model | International Revenue Share Fraud |
| Main target | Mobile users browsing the web |
| Delivery path | Malvertising, TDS redirects, and typosquatted domains |
| Observed scale | 35 phone numbers across 17 countries |
| Possible SMS volume | Up to 60 messages after four fake CAPTCHA steps |
| Possible cost | About $30 per victim on a typical consumer plan |
| Malware required | No |
Why victims may not notice right away
The scam works partly because international SMS charges may not appear immediately. A victim may forget about the fake CAPTCHA by the time the bill arrives weeks later.
The charge may also look small enough to miss during a quick bill review. That helps the operation stay quiet, especially when many victims each lose a relatively small amount.
For the attackers, the money comes from scale. A few dollars from one phone bill may not seem large, but thousands of completed CAPTCHA flows can create meaningful revenue.
What International Revenue Share Fraud means
International Revenue Share Fraud, also called IRSF, abuses the way telecom operators pay fees to complete international calls or messages.
Fraudsters lease or control phone numbers in destinations with higher termination fees. When victims send messages to those numbers, telecom billing systems generate fees, and part of that money can flow back through revenue-sharing arrangements.
In this campaign, fake CAPTCHA pages create artificial SMS traffic to those numbers. The victim pays the charge, while the fraud operator profits from the inflated message volume.
How users reach the fake CAPTCHA pages
- A user visits a typo-style domain that resembles a telecom brand or another familiar service.
- The site redirects the user through a Traffic Distribution System.
- The redirect chain sends suitable users to a fake CAPTCHA page.
- The page asks the user to confirm they are human by sending an SMS.
- The SMS app opens with the message and recipients already filled in.
- The user sends messages across multiple fake CAPTCHA steps.
- International SMS charges appear later on the phone bill.
Back-button hijacking keeps users trapped
The campaign also uses back-button hijacking to keep users inside the fake verification flow.
This technique manipulates the browser history so pressing the back button does not return the user to the previous page. Instead, the browser reloads the scam page or redirects the user back into the same flow.
That extra pressure increases the chance that a user will finish the fake CAPTCHA process rather than simply leaving.
Why this is different from normal ClickFix attacks
Many recent fake CAPTCHA attacks use ClickFix tactics to trick users into copying and running commands that install malware or steal data.
This campaign follows the same social engineering pattern, but the goal is different. It does not need the victim to install an app or run code.
The attacker only needs the victim to send prefilled SMS messages. That makes the scam easier to run across mobile browsers and harder for traditional anti-malware tools to catch.
Warning signs to watch for
| Warning sign | Why it matters |
|---|---|
| A CAPTCHA opens your SMS app | Legitimate CAPTCHA checks should not ask you to send text messages. |
| Prefilled international numbers | This can indicate SMS pumping or premium-rate fraud. |
| The back button does not work | The page may be using browser history manipulation to trap you. |
| The domain looks slightly wrong | Typosquatted domains often imitate real brands to gain trust. |
| The page repeats verification steps | Multiple steps can generate multiple SMS charges. |
Domains linked to the campaign
Security researchers listed several domains connected to the redirect chain and fake CAPTCHA activity. Users and security teams should treat these as suspicious and block them where appropriate.
- sweeffg[.]online
- colnsdital[.]com
- zawsterris[.]com
- megaplaylive[.]com
- ruelomamuy[.]com
How users can protect themselves
Users should never send an SMS to prove they are human online. A legitimate CAPTCHA runs inside the browser and does not need access to the SMS app or phone dialer.
Mobile users should also review phone bills for unfamiliar international SMS charges. Small charges can matter, especially if they repeat across billing cycles.
If suspicious SMS charges appear, users should contact their carrier, dispute the charges, and ask about blocking international or premium SMS if they do not need those services.
What telecoms and organizations should do
- Monitor for unusual international SMS traffic spikes.
- Flag repeated messages to high-risk destination ranges.
- Review traffic linked to known fake CAPTCHA domains.
- Block malicious TDS and fake CAPTCHA infrastructure at DNS or web-filtering layers.
- Educate users that CAPTCHA checks should not open messaging apps.
- Offer customers easy controls to disable premium and international SMS.
- Investigate repeated billing disputes tied to similar destination countries or number ranges.
Why this campaign matters
The campaign shows how scammers can turn familiar web habits into billing fraud. Users trust CAPTCHA prompts because they see them every day, and attackers use that trust to push them into a paid telecom action.
It also shows that fraud does not always need malware. A web page, a redirect chain, and a clever billing abuse model can cause financial loss without compromising the phone itself.
For users, the safest rule is simple: if a human verification page asks you to send a text message, close the page.
FAQ
SMS pumping fraud is a scheme where attackers generate large volumes of SMS traffic to specific phone numbers so they can profit from telecom revenue-sharing fees.
No. The reported campaign does not need to install malware. It tricks users into sending prefilled international SMS messages from their own phones.
Researchers observed flows that could generate up to 60 international SMS messages and cost about $30 on a typical consumer plan.
Yes. The scam abuses browser-to-SMS behavior that can open the phone’s messaging app with prefilled content on mobile devices.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages