Cybercriminals Exploit Fake CAPTCHA Pages to Orchestrate Costly International SMS Fraud
In an alarming development, cybercriminals have devised a scheme that manipulates the familiar CAPTCHA verification process to defraud unsuspecting users. By creating counterfeit CAPTCHA pages, these attackers trick individuals into sending premium international SMS messages, resulting in unauthorized charges on their phone bills. This fraudulent activity is linked to a telecom scam known as International Revenue Share Fraud (IRSF), which has been operational since at least June 2020.
Understanding the Scheme
CAPTCHA tests are widely used online to distinguish human users from automated bots, typically involving tasks like selecting specific images or typing distorted text. Cybercriminals have exploited this routine by designing fake CAPTCHA pages that instruct users to send an SMS message as a form of verification. Unbeknownst to the victims, these messages are sent to premium-rate international numbers in countries with high termination fees, such as Azerbaijan, Egypt, and Myanmar. Each message generates revenue for the fraudsters, who have prearranged profit-sharing agreements with local telecom carriers. Victims often remain unaware of the fraud until they receive inflated phone bills weeks later.
Mechanics of the Attack
The fraudulent process begins when users are directed to a website that mimics a legitimate verification page. Instead of a standard CAPTCHA challenge, the page prompts users to send an SMS to verify their humanity. Upon compliance, the user’s device automatically opens the messaging app with a pre-filled message and recipient number. The victim, believing this to be a routine verification step, sends the message, unknowingly incurring charges.
Further complicating the issue, the campaign employs a Traffic Distribution System (TDS) to obscure the origin of the malicious pages. This system reroutes web traffic through multiple layers before landing users on the deceptive CAPTCHA page, making it challenging for security researchers and automated detection systems to trace and block the fraudulent activity.
Scope and Impact
Research indicates that a single interaction with one of these fake CAPTCHA pages can trigger up to 60 international SMS messages to over 50 destinations, costing the victim approximately thirty dollars in one session. While this amount may seem modest individually, the cumulative effect across potentially millions of victims results in substantial profits for the cybercriminals.
The fraud not only affects individual users but also imposes financial burdens on telecom providers, who often absorb losses from customer disputes while inadvertently paying revenue to the fraudsters. Investigations have identified 35 phone numbers across 17 countries involved in this campaign, with the infrastructure remaining consistent on the same network since June 2020. The widespread nature of the operation makes it exceedingly difficult for any single provider to detect and mitigate the full extent of the fraud.
Technical Aspects of the Deception
The fake CAPTCHA pages are designed to appear legitimate, often instructing users to perform tasks like identifying animals or selecting specific images. After each task, JavaScript code contacts the attacker’s server, which returns a list of international phone numbers and a pre-written message. The user’s device then opens the messaging app with the information pre-filled, requiring only a tap to send the message.
Additionally, the campaign utilizes back button hijacking to trap users on the fraudulent page. When a user attempts to leave by pressing the back button, a script redirects them back to the CAPTCHA page, creating a loop that can only be broken by force-closing the browser. This tactic increases the likelihood of the user complying with the fraudulent instructions.
Broader Context and Related Threats
This IRSF scheme is part of a larger trend where cybercriminals exploit trusted web interfaces to deliver malware and conduct fraud. Similar tactics have been observed in various campaigns:
– Fake Cloudflare Verification Screens: Attackers have used counterfeit Cloudflare verification pages to deceive users into executing malicious code, exploiting the trust associated with legitimate security checks. ([cybersecuritynews.com](https://cybersecuritynews.com/hackers-use-fake-cloudflare-verification-screen/?utm_source=openai))
– Malicious Apps in Official Stores: Cybercriminal groups like VexTrio have infiltrated official app stores with malicious applications, often disguised as legitimate services, to harvest user data and generate revenue through subscription fraud. ([cybersecuritynews.com](https://cybersecuritynews.com/vextrio-hackers-attacking-users-via-fake-captcha-robots/?utm_source=openai))
– Fake Booking Confirmations: Sophisticated attacks have targeted travelers by presenting fake booking confirmation pages that require CAPTCHA verification, leading to the installation of information-stealing malware like LummaStealer. ([cybersecuritynews.com](https://cybersecuritynews.com/attack-via-booking-websites-installs-lummastealer/?utm_source=openai))
Protective Measures and Recommendations
To safeguard against such deceptive schemes, users are advised to:
1. Be Skeptical of Unusual Verification Requests: Legitimate CAPTCHA tests do not require sending SMS messages or executing commands. Any such request should be treated with suspicion.
2. Verify Website Authenticity: Before interacting with verification prompts, ensure the website’s URL is correct and that it uses secure connections (HTTPS).
3. Monitor Phone Bills Regularly: Regularly reviewing phone bills can help detect unauthorized charges early, allowing for prompt action.
4. Use Security Software: Employ reputable security software that can detect and block malicious websites and scripts.
5. Educate Yourself and Others: Staying informed about the latest cyber threats and sharing knowledge can help build a more resilient online community.
By remaining vigilant and adopting these protective measures, users can reduce the risk of falling victim to such sophisticated cyber fraud schemes.
