- Infoblox researchers uncover long-running CAPTCHA scam tricking victims into sending expensive international SMS messages
- Victims can unknowingly send dozens of texts and incur charges, while attackers profit through telecom revenue sharing
- The defense is simple: never send a text to “prove you’re human”
Fake CAPTCHAs aren’t just about copying and pasting links to malware – they can also be about sending an SMS to an international number and getting charged a whole lot for the privilege.
Security researchers from Infoblox recently published an in-depth report on an “underreported” type of CAPTCHA scam.
This particular campaign has been active since at least June 2020, tricking people into sending SMS messages through social engineering and browser back button hijacking. During their research, they found 35 phone numbers in 17 different countries.
The article continues below
More SMS messages
“The fake CAPTCHA has multiple steps, and each message created by the site is preconfigured with over a dozen phone numbers, meaning the victim isn’t charged for just a single message — they’re charged to send SMS to over 50 international destinations,” researchers David Brunsdon and Darby Wise wrote in their report.
One of the reasons this kind of scam hasn’t been reported as widely is probably because of late billing, they added. International SMS rates are only an issue a few weeks later when the bill arrives, by which time “the fake CAPTCHA experience is long forgotten.”
Another important part of the effort is the malicious traffic distribution systems (TDS), which redirect the victim to these landing pages.
Here’s how it works: a commercial TDS redirects a victim to a malicious website that requires the person to “verify they’re human” by sending an SMS. When the victim presses the button, the site uses built-in mobile capabilities to open the SMS app with the number and message already filled in. The numbers are leased by the attackers.
The process then continues, with each subsequent step asking for another “confirmation”, triggering multiple SMS messages to different numbers. In the process, victims can end up sending as many as 60 text messages to 15 different numbers, racking up expenses of up to $30. That might not sound like much, but this is a game of big numbers – with thousands of users falling victim, the numbers add up quickly.
The victims of this campaign are both end users and telecommunications, Infoblox concluded. Users, for obvious reasons, and telecommunications – by paying revenue share to the perpetrators, as well as sorting out chargebacks and refund requests from customers.
However, it is simple to defend against the scam. “Unfortunately, it must be said,” Infoblox emphasized. “Don’t send a text to verify you’re human.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
