What appears to be a routine online security check is now being misused in a large-scale fraud operation, quietly turning users into participants in an international SMS scam without their awareness.
Hackers are using fake CAPTCHA pages to run a global scheme based on international revenue share fraud (IRSF). Victims are redirected through scam domains and traffic distribution systems (TDS) to fake CAPTCHA pages that mimic legitimate verification steps.
Instead of solving puzzles, users are repeatedly asked to “confirm” they are human by sending SMS messages. Each step opens the phone’s SMS app with pre-filled messages and multiple international numbers. Users only need to tap send.
The fraud depends on volume. In one case, 4 CAPTCHA steps triggered 60 SMS messages in a single session. These messages are sent to numbers across at least 17 countries, including Azerbaijan, Egypt, Myanmar, the Netherlands, and Kazakhstan, where SMS termination fees are high, increasing profits.
Charges often appear weeks later, making it difficult for users to link them to the CAPTCHA activity.
IRSF and how the scam works
The scheme uses IRSF, where fraudsters control or lease premium-rate numbers in high-fee regions. When victims send SMS messages, telecom operators pay termination fees to foreign carriers, who share revenue with the attackers.
A single victim may lose about 30 USD, but at scale, the fraud becomes highly profitable.
This is part of a larger issue called artificially inflated traffic (AIT), now considered the most financially damaging messaging fraud globally. Around 50% of telecom operators report high losses and heavy fraudulent traffic.
Telecom companies face double losses, as they pay fraudsters and later refund customers who dispute charges.
How the scam spreads and traps users
The operation uses TDS infrastructure often linked to ad fraud, scareware, and malware. Victims may pass through multiple redirects before landing on fake CAPTCHA pages and then scam “gaming” or adult-content sites that keep triggering SMS actions.
Special JavaScript is used for back button hijacking. When users try to go back, the page reloads another scam, trapping them unless they close the browser.
Google has labeled this as a “malicious practice” and will penalize such sites starting mid-2026.
Tracking and long-running network
The scam tracks users using cookies and URL data, including location, device type, ISP, and campaign IDs. Systems decide whether to keep users engaged or redirect them to new scam pages.
Investigations show clusters of domains hosted on limited IP ranges, indicating a coordinated operation active since at least mid-2020.
Misleading “terms of service” are added to appear legitimate, hiding the fact that each step sends multiple international SMS messages.
Due to fragmented operations across countries and carriers, the fraud remains hard to detect and has continued for years.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
