- Infoblox researchers reveal long-running CAPTCHA scam that tricks victims into sending expensive international text messages
- Victims may unknowingly send dozens of text messages, incurring fees while attackers profit from telecommunications revenue sharing.
- The defense is simple: never text to “prove you’re human”
Fake CAPTCHAs don’t just involve copying and pasting links to malware: they can also involve sending an SMS to an international number and paying a lot of money for the privilege.
Security researchers at Infoblox recently published a detailed report on an “under-reported” type of CAPTCHA scam.
This particular campaign has been active since at least June 2020 and tricks people into sending SMS messages via social engineering and browser back button hijacking. During their research, they found 35 phone numbers in 17 different countries.
Article continues below
Multiple text messages
“The fake CAPTCHA involves several steps, and each message the site writes is pre-configured with more than a dozen phone numbers, meaning the victim is not charged for a single message: they are charged for sending text messages to more than 50 international destinations,” researchers David Brunsdon and Darby Wise wrote in their report.
One reason this type of scam hasn’t been as widely reported is likely due to late billing, they added. International SMS charges don’t become an issue until a few weeks later when the bill arrives, and by then “the fake CAPTCHA experience is long forgotten.”
Another critical part of this effort is malicious traffic delivery systems (TDS), which redirect the victim to these landing pages.
Here’s how it works: A commercial TDS redirects a victim to a malicious website that asks the person to “confirm they are human” by sending a text message. When the victim presses the button, the page uses the built-in mobile features to open the SMS app with the number and message already filled in. The numbers are praised by the attackers.
The process then continues and each subsequent step asks for another “confirmation,” triggering multiple text messages to different numbers. In doing so, victims can end up sending up to 60 SMS messages to 15 different numbers, incurring expenses of up to $30. This may not seem like much, but it’s a big numbers game: with thousands of user victims, the numbers add up quickly.
The victims of this campaign are both end users and telecom operators, Infoblox concluded. Users, for obvious reasons, and telecommunications – paying a share of the revenue to the perpetrators, as well as sorting chargebacks and refund requests from customers.
However, defending yourself against this scam is simple. “Unfortunately, it must be said,” Infoblox stressed. “Don’t text to confirm you’re human.”
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
