- Infoblox Researchers Expose Long-running CAPTCHA Scam That Tricks Victims into Sending Expensive International SMS Messages
- Victims can unknowingly send dozens of text messages, incurring charges, while attackers benefit from telecom revenue sharing.
- The defense is simple: never text to “prove you’re human.”
Fake CAPTCHAs are not just about copying and pasting links to malware, they can also involve sending an SMS to an international number and charging a high price for the privilege.
Infoblox security researchers recently published a detailed report on a type of “unreported” CAPTCHA scam.
This particular campaign has been active since at least June 2020 and has been tricking people into sending SMS messages through social engineering and browser back button hijacking. During their investigation, they found 35 phone numbers in 17 different countries.
Article continues below.
Multiple SMS messages
“The fake CAPTCHA has multiple steps, and each message crafted by the site is pre-configured with more than a dozen phone numbers, meaning the victim is not charged for a single message: they are charged for sending SMS to more than 50 international destinations,” researchers David Brunsdon and Darby Wise wrote in their report.
One of the reasons this type of scam has not been as widely reported is likely due to delayed billing, they added. International SMS charges are only a problem a few weeks later, when the bill arrives, and by then, “the experience with the fake CAPTCHA has been forgotten.”
Another vital part of the effort is malicious traffic distribution systems (TDS), which redirect the victim to these landing pages.
Here’s how it works: A commercial TDS redirects the victim to a malicious website that requires the person to “confirm they are human” by sending an SMS. When the victim taps the button, the page uses built-in mobile features to open the SMS app with the number and message already filled in. The attackers rent the numbers.
The process then continues with each subsequent step requesting another “confirmation”, resulting in multiple SMS messages to different numbers. In the process, victims can end up sending up to 60 SMS messages to 15 different numbers, racking up costs of up to $30. It may not seem like much, but this is a big numbers game: with thousands of users falling victim, the numbers quickly add up.
The victims of this campaign are both end users and telecommunications companies, Infoblox concluded. Users, for obvious reasons, and telecommunications, paying a portion of the revenue to the perpetrators, as well as resolving chargebacks and refund requests from customers.
However, defending yourself against the scam is simple. “Unfortunately, it has to be said,” Infoblox stressed. “Don’t text to confirm you’re human.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
