By rssfeeds-admin 
Researchers at Infoblox say the campaign blends social engineering, telecom fraud, and traffic distribution systems to profit from each SMS a victim sends.
Fake CAPTCHA pages are already familiar in malware and phishing campaigns. However, this operation uses them for a different purpose to make victims send premium international SMS messages under the false claim that texting is required to prove they are human.
Infoblox said the scheme has been active since at least June 2020 and that the actors built the process to look routine and harmless.
How the Scam Works
According to Infoblox, the victim lands on a fake CAPTCHA page after being routed through a traffic distribution system (TDS), often via a deceptive or lookalike website.
The TDS helps the operators target users, rotate infrastructure, and hide the final scam pages from defenders and automated analysis systems.
Once on the page, the user is shown several simple CAPTCHA-style prompts, such as basic image or text questions.
However, each step is designed to trigger the phone’s SMS app with a prefilled message and a list of international numbers. Infoblox said the victim was not asked to solve a difficult test; the real purpose was to generate as many billable messages as possible.
The researchers observed one case in which each step included more than a dozen destination numbers, and the full process produced 60 SMS messages.
In that test, the charges could reach about $30, and the cost often appeared on the phone bill weeks later, long after the user had forgotten the CAPTCHA page.
This campaign stands out because it combines telecom fraud with the same ad-tech and redirect infrastructure often used in malware delivery, scareware, and other web-based scams.
Infoblox said the TDS layer acts as both a traffic broker and a shield, allowing operators to scale fraud while making malicious landing pages harder to detect.
The scam also uses back-button hijacking to prevent victims from leaving the page. Infoblox found JavaScript that manipulates browser history so pressing the back button either reloads the same fake CAPTCHA or sends the user to another scam page, trapping them in a loop.
That tactic has drawn broader attention beyond security research. Google announced a new spam policy in April 2026 targeting back button hijacking and said enforcement will begin on June 15, 2026, calling the behavior a malicious practice that interferes with normal navigation.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Cybercriminals Exploit CAPTCHA Pages To Drive SMS Charges appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.