Fake CAPTCHA scam drains bank accounts through international revenue share fraud

A long-running fraud operation, active since at least June 2020, has been discovered to be draining bank accounts using fake CAPTCHA pages to conduct international revenue share fraud (IRSF). This scam transforms a common security measure into a tool for tricking users into sending high-cost international text messages, according to a recent report by HackRead.

The attack chain begins when users land on typosquatted domains mimicking telecommunications brands. These sites redirect victims through a traffic distribution system to a scammer-controlled landing page. There, fake CAPTCHA challenges ask users simple questions about their device or network. Each answer triggers a JavaScript function that opens the phone's SMS app, pre-filling messages to numerous international numbers with high termination fees in countries like Azerbaijan and Kazakhstan.

To prevent users from escaping, the attackers employ back button hijacking, trapping them in a loop. A single session can result in over 60 messages sent to more than 50 destinations, potentially costing victims $30 or more, with charges often appearing weeks later. Infoblox researchers attribute this operation to an affiliate of a European Click2SMS network, utilizing infrastructure from Adam Ecotech.

Source: HackRead