226/69 Monday, April 27, 2026
Researchers from the Threat Intelligence team at Infoblox have uncovered a sophisticated global fraud campaign known as Click2SMS. In this scheme, attackers abuse familiar CAPTCHA verification systems as a tool for International Revenue Share Fraud (IRSF). The scam aims to drain money from victims’ accounts or mobile bills by tricking them into sending SMS messages to premium-rate international numbers in countries such as Azerbaijan, Kazakhstan, and Myanmar. The operation has reportedly been active since 2020 and continues to evolve to evade detection.
The attack typically begins by luring users to phishing websites hosted on domains that mimic well-known telecommunications brands. Once on the site, victims are presented with a fake CAPTCHA page asking simple questions, such as device type or internet speed. As soon as the victim interacts with the page, a JavaScript file named makeTrackerDownload.php executes, prompting the smartphone to open the SMS app with pre-filled messages and multiple international phone numbers. By the time victims complete all four “verification” steps, they may have unknowingly sent over 60 SMS messages to around 50 recipients across 17 countries-resulting in charges of up to $30 per visit.
Additionally, attackers employ a technique known as Back Button Hijacking to keep victims trapped on the malicious page. If users attempt to leave, scripts repeatedly refresh the page, forcing them to continue the process. Investigations have linked the campaign’s infrastructure to networks in Europe previously associated with malware distribution. Users are strongly advised to be cautious: legitimate CAPTCHA systems will never ask users to send SMS messages as part of identity verification.
Source https://hackread.com/fake-captcha-pages-exploit-clicks-send-texts/