Infoblox Threat Intel has exposed a dangerous campaign in which hackers have used fake CAPTCHA pages as a weapon for International Revenue Share Fraud. 60 international SMS in a single session and a bill of $30 and the victim is not even aware of it. This campaign has been active since June 2020 and is targeting millions through the Traffic Distribution System.
Internet users solve dozens of CAPTCHA tests every day and choosing traffic lights typing blurry letters or identifying cycles. Its a boring but necessary task. And now hackers have turned this boredom and familiarity into their most dangerous weapon.
Cybercriminals have created fake CAPTCHA pages that trick users into sending paid international SMS messages. The victim gets charged on their phone bill and only realises something went wrong a week later when the bill arrives.
CVE Details This scheme is called International Revenue Share Fraud (IRSF) and in this fraudsters artificially inflate the volume of international calls or messages towards premium rate services and take their share by exploiting carrier revenue-sharing agreements.
According to data from Telesign, the total number of IRSF attacks has doubled six-fold since 2013 and the associated losses have risen from $1.8 billion to $10.76 billion.This is not just a small scam it is a billion dollar global fraud industry.
Researchers at Infoblox Threat Intel uncovered the entire technical blueprint of this campaign in April 2026. When a user lands on one of these fake pages, they are presented with a perfectly normal CAPTCHA task identify the animal or some other simple challenge but after each answer and JavaScript quietly contacts the attackers server which sends back a pre-loaded list of international phone numbers and a pre-written message.
The victims phone messaging app opens with these numbers and text already filled in the user simply has to tap Send. This fraud relies on volume, not the difficulty of the challenge in one observed session, just four CAPTCHA steps produced 60 outbound SMS messages in a single verification which went to numbers in high-termination-fee countries like Azerbaijan, Egypt and Myanmar.
A single session costs the victim roughly $30 and when considered on a scale with millions of victims this operation becomes extraordinarily profitable.
Traffic Distribution Systems The Invisible Highway Behind Cyber Attacks
The heart of this entire campaign is its distribution infrastructure a Traffic Distribution System (TDS) which routes traffic through multiple layers before it reaches a malicious landing page.In March 2026 researchers traced an attack chain that originated from a typosquatted lookalike domain of a major US telecom company and then passed through multiple TDS nodes landed on a fake CAPTCHA and finally ended at a scam gaming or adult content site that triggered SMS messages with every click.
This TDS infrastructure hides operations from security researchers and automated detection systems and tracks user attributes such as country, language, ISP, device type and campaign identifiers through cookies and URL parameters so that only targeted users are funneled into the SMS and the rest are redirected to other fake CAPTCHA pages.
Researchers observed 35 phone numbers in 17 countries and this infrastructure has been running consistently on the same network since June 2020 which means this operation was running completely under the radar for the last 6 years.
The back button also does not work. When the victim tries to leave the page, a JavaScript script pushes a new entry into the browser history and silently reloads another scam page. This loop continues until the user force closes the browser.
Google has now officially classified back button hijacking as a malicious practice in its spam policies and announced plans to penalize such sites from mid-2026.Theres a disclaimer at the bottom of the page that describes the process as a service exchange but never discloses that dozens of paid international messages will be sent. This is misdirection not disclosure.
The most disturbing aspect of this fraud is that its harm is not limited to individuals alone. This operation defrauds both individuals and telecom carriers simultaneously. Individual victims incur unexpected charges on their phone bills, while telecom carriers pay a revenue share to the fraudsters and then absorb those losses through customer disputes or chargebacks.
According to GSMA data, SMS artificial inflation of traffic fraud has increased by 380% over a 12-month period, and these profits are often directly linked to the financial support of serious organized crime. IRSF is no longer just a telecoms problem it is now a cybersecurity issue that overlaps with other attack vectors such as insider threats and supply chain vulnerabilities and the business email compromise.
No legitimate service makes sending SMS a part of CAPTCHA or online verification. If a website does this close your browser immediately. Organizations should use DNS security tools to detect and block known TDS and malicious redirect domains, and telecom carriers should implement real-time monitoring to identify and block artificially inflated SMS traffic.
At the individual level it is important to check your monthly phone bill and notify your carrier immediately if you notice any unexpected international SMS charges as the longer the fraud goes unreported the more the fraudster will earn.
