Solving a CAPTCHA has become a mindless digital habit. We click traffic lights and crosswalks without a second thought. However, a dangerous new fraud campaign is turning this routine action into a financial hit.
Cybercriminals are now using fake CAPTCHA pages to hijack mobile devices, not to steal passwords, but to run up massive international SMS charges. This scheme, known as International Revenue Share Fraud (IRSF) or “SMS Pumping,” leaves victims with unexpected $30 charges on their monthly mobile bills—all from a single “human verification” check.
The Mechanism: How SMS Pumping Works
Identified by Malwarebytes analyst Pieter Arntz, this campaign doesn’t require malware or complex exploits. Instead, it relies on “ClickFix” social engineering to trick users into attacking their own bank accounts.
- The Lure: Victims land on a fake CAPTCHA page via “malvertising” or typosquatted domains that look like legitimate telecom websites.
- The Trigger: When a user taps “Verify” or “Continue,” the site uses a
sms:URI scheme to force the phone’s native messaging app to open. - The Payload: The message is already pre-filled with text and a list of international recipients. By the time the user realizes what happened, they have sent dozens of texts to high-cost destinations like Azerbaijan, Myanmar, and Egypt.
- The Profit: Attackers have revenue-sharing agreements with shady international carriers. For every high-fee text sent to these regions, a portion of the billable charge flows directly back to the scammers.
Technical Traps: Hijacking the “Back” Button
To ensure users complete the “verification” process, the scammers employ aggressive browser tactics. Using JavaScript history hijacking, the page rewrites the browser’s history so that clicking the “Back” button simply reloads the scam. This traps the victim in a loop, encouraging them to click through multiple steps and send even more high-cost messages.
The campaign is powered by a Click2SMS-style affiliate network that markets its services to “shady” web publishers, essentially commoditizing telecom fraud for the masses.
Red Flags and Defensive Steps
Because this fraud doesn’t involve installing an app, traditional antivirus might not catch it. Protection requires user vigilance and carrier-level settings.
For Users:
- The Golden Rule: Legitimate CAPTCHAs never require you to send an SMS. If a website tries to open your messaging app or dialer to “prove you’re human,” close the tab immediately.
- Check Your Bill: Review your mobile statement for small, $1–$3 international charges. Scammers often rely on “micro-fraud” that goes unnoticed for months.
- Block Premium SMS: Contact your carrier and ask to block “International” or “Premium” outgoing SMS if you do not use these services.
Domains to Avoid:
Security teams should block the following known malicious domains associated with this campaign:
sweeffg[.]onlinecolnsdital[.]comzawsterris[.]commegaplaylive[.]comruelomamuy[.]com
