(infoblox.com) Fake CAPTCHA Pages Weaponized for International Revenue Share Fraud via SMS Scam Campaign

orlysec@swecyb.com

(infoblox.com) Fake CAPTCHA Pages Weaponized for International Revenue Share Fraud via SMS Scam Campaign

New IRSF campaign weaponizes fake CAPTCHA pages to trigger international SMS fraud, costing victims ~$30 per session. Active since 2020, it exploits TDS and carrier billing gaps across 17 countries.

In brief - Threat actors use typosquatting and fake CAPTCHA pages to force mobile users into sending premium SMS messages to 15+ international numbers, generating fraudulent termination fees. The operation targets victims via multi-hop TDS, defrauding both individuals and telecom carriers.

Technically - The attack chain involves a TDS (colnsdital[.]com → hotnow[.]sweeffg[.]online → zawsterris[.]com) redirecting to fake CAPTCHA pages on AS15699. JavaScript calls makeTrackerDownload.php to fetch phone number lists and control parameters (forceRedirectURL, forceMessage). Back button hijacking via pushState() traps users, while cookie tracking filters targets. A secondary tier of 20 Egyptian numbers is passed via base64 to megaplaylive[.]com, embedding additional SMS triggers in media playback.

Source: https://www.infoblox.com/blog/threat-intelligence/hold-the-phone-international-revenue-share-fraud-driven-by-fake-captchas/

#Cybersecurity #ThreatIntel