Hackers use fake CAPTCHA pages to trigger costly international SMS fraud

Fake CAPTCHA pages are now doing more than wasting people’s time. Infoblox says some of them trick users into sending dozens of paid international text messages, turning a familiar verification step into a telecom fraud scheme known as international revenue share fraud, or IRSF.

The scam works because the page does not look obviously malicious. Infoblox says victims land on what appears to be a normal human verification flow, but instead of clicking images or typing characters, they are pushed into sending SMS messages to international numbers that generate revenue for the fraudster.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

This is not a new fraud model, but Infoblox says the campaign it traced has been active on the same network since at least June 2020. In one tested interaction, the fake CAPTCHA process generated 60 SMS messages to more than 50 international destinations, which could cost a victim about $30 in a single session.

How the fake CAPTCHA scam works

Infoblox says the campaign relies on a traffic distribution system, or TDS, to move users through several redirect layers before they reach the final malicious page. In one chain the company studied, the visit began on a lookalike domain impersonating a major US telecom brand, then passed through TDS nodes before landing on the fake CAPTCHA.

Once the victim reaches that page, the deception stays simple. Infoblox says the site presents a CAPTCHA-like task, but each click quietly sends a request back to the attacker’s server, which returns a prepared SMS body and a list of international phone numbers. The user’s phone then opens the messaging app with the text and recipients already filled in.

That design matters because it hides the real cost. Infoblox says the victim often thinks they are just completing one verification step, while the browser is actually preparing messages to dozens of high-fee destinations, including countries such as Azerbaijan, Egypt, and Myanmar.

Why this fraud is profitable

IRSF works by abusing revenue-sharing arrangements tied to premium or high-tariff international destinations. GSMA describes IRSF as a scheme in which attackers artificially inflate traffic to international premium-rate numbers and profit from the revenue-sharing model attached to those routes.

Infoblox says the criminals behind this campaign benefit from delayed billing. Many victims do not see the international SMS charges until weeks later, long after they forgot the CAPTCHA page that triggered them. That delay helps keep complaint volume low and makes attribution harder.

The fraud also hurts carriers, not just subscribers. Infoblox says telecom providers often absorb part of the loss during billing disputes while still paying out revenue tied to the fraudulent traffic, which means the scheme can damage both customers and operators at the same time.

What makes this campaign harder to escape

Infoblox says the operation uses back-button hijacking to keep victims trapped. If a user tries to leave the page, a script pushes the current URL back into browser history and sends the victim to the CAPTCHA flow again, making the experience much harder to exit with normal navigation controls.

Researchers say they first observed that back-button trap in January 2023. Infoblox also found 35 phone numbers across 17 countries tied to the campaign, which shows the infrastructure is broad enough that no single provider is likely to see the full picture on its own.

That wide spread is part of the reason IRSF remains difficult to fight. Infoblox says the same TDS-style infrastructure often used for scareware and malware delivery is now funneling users into SMS fraud at scale, blending telecom abuse with web-based traffic manipulation.

At a glance

The table above reflects Infoblox’s April 23, 2026 research and GSMA’s description of IRSF as a premium-rate telecom fraud model.

What users and carriers should do

• Never send an SMS message as part of a CAPTCHA or routine “prove you are human” test. Infoblox says no legitimate CAPTCHA should require that step.
• Check mobile bills for unexplained international SMS charges, especially if you recently hit a suspicious verification page. Infoblox says billing delays often hide the scam until later.
• Close the tab or force-close the browser if a CAPTCHA page keeps trapping you through redirects or back-button loops. Infoblox says this campaign uses browser-history manipulation to keep users in the flow.
• Carriers should monitor for abnormal spikes in outbound international SMS traffic and suspicious concentrations toward known high-fee destinations. GSMA and other telecom fraud guidance describe real-time monitoring as a core IRSF defense.
• Organizations should use DNS and threat-intelligence controls to block TDS infrastructure and known redirect domains before users ever reach the fake CAPTCHA stage. Infoblox specifically ties this campaign to malicious TDS routing.

FAQ