The fake CAPTCHA and international SMS scam that steals users and operators

Infoblox's research into a sophisticated phone fraud that combines Fake CAPTCHAs and traffic distribution systems (TDS) reveals a multi-layer scam that not only deceives the end user but exploits the business rules of mobile operators to profit from the mass shipment of high-rate international SMS.

In its operational form, the scam redirects victims from malicious ads or links to pages that simulate human verifications; these pages orchestrate a chain of actions that is scheduled to open the device's messaging application with precompleted messages and numbers, leading to the sending of dozens of SMS to high-cost numbers located in multiple countries. Infoblox detected up 35 issues in 17 countries and flows that can cause the sending of up to 60 messages after several "verifications," a situation that can be translated into charges that, although modest per user (e.g. ~ 30 USD), are highly cost-effective if they multiply on a large scale.

What makes this campaign particularly dangerous is the convergence of two techniques: the classic International Revenue Share Fraud (IRSF) which exploits termination and income-sharing agreements between operators, and the misuse of tracking / TDS platforms such as Keitaro to distribute, camouflage and scale malicious links. By operating as a cloaking and redirection layer, the TDS avoids early detection and allows scam operators to rotate numbers and messages to maximize revenue before being blocked.

TDS abuse also makes it easier for actors to reuse legitimate infrastructure (Keitaro servers, tracking accounts) for multiple malicious purposes: from sending malware to investment scams and draining cryptomonedas, often amplified by paid ads and social engineering techniques that include deepfakes and fake items. Constable and other suppliers have documented how these platforms can be purchased or exploited with compromised licenses, making them an all-in-one tool for large-scale campaigns.

The implications are double: on the one hand, users suffer unexpected charges on their invoices that often appear weeks later and are difficult to relate to a timely visit to a website; on the other hand, operators bear costs for terminations and face disputes and refunds while a portion of the payment ended up in the hands of the fraudsters through delivery agreements with premium number administrators.

As immediate measures, users must take a preventive attitude: not interact with emerging windows that ask to "confirm with an SMS," close the browser (not just press back) if a page seems to be insistent, review and disable unnecessary permissions so that links do not launch messaging applications without their consent, and use scripts and ads that reduce the likelihood of being redirected. It is also recommended to review the mobile invoice in detail and dispute suspicious charges with the operator as soon as possible.

Companies and mobile operators should improve the detection of abnormal termination patterns, share commitment indicators between carriers and with regulatory agencies, and apply preventive blocks or limits for high-risk geographical ranges. In addition, providers of tracking and TDS solutions should strengthen use controls, authenticate customers and monitor licence abuse to prevent their products from becoming fraud platforms.

For those who manage online advertising, it is key to audit campaigns and partners, demand transparency in the redirection chain and block creativities or domains that redirect to suspicious flows. Advertising platforms should accelerate the detection of ads that promote schemes with unreal promises (e.g. false airdrops or returns guaranteed by IA) and limit the use of new unverified accounts.

This threat shows that even old techniques like the IRSF evolve when combined with modern distribution tools and well-tuned social engineering. For more technical context on the nature of TDS fraud and abuse, see the work of Infoblox and the analysis of security providers: Infoblox, Confessor and documentation on the IRSF phenomenon in general in Wikipedia.

In short, protection requires coordinated action: users must reduce their exposure and react quickly to suspicious charges; operators must improve monitoring and revenue-sharing policies; and advertising and tracking platforms must tighten access controls to prevent their services from being recycled in large-scale fraudulent campaigns. Without such coordination, such scams will remain cost-effective and persistent.