The Trojan CAPTCHA: How Sophisticated SMS Fraud Hijacks Human Verification

In an era where “Prove You Are Not a Robot” has become a ubiquitous part of the web experience, threat actors are weaponizing this routine security check to facilitate a high-yield, silent international fraud scheme. By masquerading as legitimate CAPTCHA interfaces, attackers are orchestrating large-scale International Revenue Share Fraud (IRSF), turning a moment of user trust into a mechanism for draining mobile balances.

The attack vector typically begins with highly targeted typosquatting or lookalike domains. Once a user lands on these deceptive sites, they are routed through a sophisticated Traffic Distribution System (TDS). The TDS acts as a digital junction, analyzing the victim’s profile before funneling them toward a counterfeit CAPTCHA page designed specifically to trigger outbound messaging.

Unlike traditional CAPTCHAs that require cognitive tasks—like identifying traffic lights or typing characters—these fraudulent versions utilize a “mobile-native” deception. Users are prompted to “verify” their humanity by sending an SMS from their own device. Each interaction triggers the device’s native messaging application, pre-populating it with a message and a long list of international phone numbers. The victim, believing they are completing a simple security handshake, need only tap “send.”

A recent threat intelligence report highlights the sheer scale of this exploitation: attackers prioritize volume over complexity. In one documented session, a single “verification” sequence consisting of only four CAPTCHA steps successfully triggered 60 outbound SMS messages.

The targeting is surgical. The destinations span at least 17 different countries, specifically focusing on jurisdictions with high SMS termination fees, such as Azerbaijan, Egypt, Myanmar, the Netherlands, and Kazakhstan. By targeting these high-cost routes, the attackers maximize the revenue extracted from every single victim session.

Because international SMS charges are often bundled into monthly cycles or appear on delayed billing statements, there is a significant “detection lag.” This allows the fraudsters to operate for weeks before a user realizes their recent CAPTCHA interactions were actually costly international communications.

Deconstructing IRSF: The Economic Engine of the Scam

At its core, this operation is powered by International Revenue Share Fraud (IRSF). In this model, criminals lease or register phone numbers in high-fee or loosely regulated telecom markets and enter into fraudulent revenue-sharing agreements with local operators. When a victim sends an SMS to one of these numbers, the victim’s carrier pays a termination fee to the foreign operator, who then kicks back a portion of that fee to the fraudster.

While a single victim might only lose approximately $30 USD in unauthorized charges, the scalability of this method is immense. When applied to thousands of simultaneous sessions via automated botnets and TDS-driven traffic, the profit margins become astronomical.

This threat is part of a surging global trend of Artificially Inflated Traffic (AIT). Industry data suggests that AIT—which includes IRSF-generated messaging—is now among the most financially damaging forms of messaging fraud globally. It creates a massive “double-hit” for telecommunications providers: they must pay out revenue shares to bad actors while simultaneously absorbing the costs of customer refunds and dispute resolutions.

To evade detection, the campaign utilizes professional-grade TDS infrastructure—tools often used in legitimate digital marketing but repurposed here for scareware and ad fraud. In one observed chain, a user was redirected from a typosquatted telecom domain through multiple TDS nodes, landing on a fake CAPTCHA, which then redirected to a scam “gaming” or adult content site that continued to trigger SMS messages with every click.

The images demonstrate a partial sequence of this experience (Source : infoblox).
The images demonstrate a partial sequence of this deceptive experience (Source : infoblox).

Evidence suggests this isn’t a standalone scam but a highly organized Click2SMS affiliate ecosystem. URL parameters and cookies containing specific product IDs and affiliate codes indicate that different “vendors” within the criminal network are likely competing for traffic.

Furthermore, the attackers employ aggressive Back Button Hijacking via custom JavaScript. This technique manipulates the browser’s history API to prevent users from navigating away. If a victim attempts to press the “back” button, the script pushes a new entry into the history, effectively trapping the user in a loop that reloads the scam page.

JavaScript for back button hijacking (Source : infoblox).
JavaScript implementation used for back button hijacking (Source : infoblox).

Recognizing this growing nuisance, Google has officially classified back button hijacking as a malicious practice. The search giant is expected to implement stricter penalties for sites interfering with standard browser navigation starting in mid-2026.

Sophisticated Evasion and Infrastructure Patterns

The technical sophistication of this campaign is evident in its data-driven targeting. The infrastructure relies on complex cookie sets and URL parameters to fingerprint users based on country, language, ISP, and device type.

Code used to redirect non-targeted users to other fake CAPTCHA pages (Source : infoblox).
Client-side logic used to determine whether to keep a user in the SMS funnel or redirect them (Source : infoblox).

The client-side code monitors a successRate flag embedded in cookies. If a user is deemed “low value” or doesn’t meet specific demographic criteria, the code silently redirects them to a different fake CAPTCHA controlled by a different affiliate, ensuring no traffic is wasted.

Network forensics reveal that these domains are not random. DNS analysis shows dozens of subdomains following predictable naming conventions (e.g., “chat-tips,” “vids-auth”) and clustered within AS15699 (Adam EcoTech). This clustering, combined with common registrars, suggests a highly stable, long-standing operation that has likely been active since mid-2020.

To maintain as much legal deniability as possible, the sites often include deceptive “Terms of Service” at the footer. These fine-print sections might instruct users to “check international rates,” yet they conspicuously fail to mention that each “verification” step triggers multiple high-cost outbound messages.

Closing the Loop: For telecom operators and enterprise security teams, the fragmentation of this scheme—spread across multiple carriers and countries via TDS—makes it difficult to intercept. Combating this requires a multi-faceted approach: implementing real-time monitoring for unusual international SMS spikes, participating in cross-carrier intelligence sharing, and proactively identifying TDS-driven traffic chains before they reach the end user.

Related Articles

Back to top button