'Unfortunately, it needs to be said: Do not send a text to confirm you are human': Experts reveal how fake CAPTCHAs are driving a global SMS scam campaign

News
By published

CAPTCHAs asking you to send an SMS are actually a scam

(Image credit: Future)
  • Infoblox researchers expose long‑running CAPTCHA scam that tricks victims into sending costly international SMS messages
  • Victims can unknowingly send dozens of texts, incurring charges while attackers profit through telecom revenue sharing
  • The defense is simple: never send a text message to “prove you are human”

Fake CAPTCHAs are not just about copying and pasting links to malware - they can also be about sending an SMS to an international number and being charged a whole lot for the privilege.

Security researchers from Infoblox recently published an in-depth report about an “underreported” type of CAPTCHA scam.

This particular campaign has been active since at least June 2020 and has been tricking people into sending SMS messages through social engineering and browser back button hijacking. During their research, they found 35 phone numbers in 17 different countries.

Article continues below

Multiple SMS messages

"The fake CAPTCHA has multiple steps, and each message crafted by the site is preconfigured with over a dozen phone numbers, meaning the victim isn't charged for just a single message – they're charged for sending SMSs to over 50 international destinations," researchers David Brunsdon and Darby Wise wrote in their report.

One of the reasons why this sort of scam hasn’t been that widely reported is likely because of delayed billing, they added. International SMS charges are only a problem a few weeks later, when the bill arrives, and by then, “the experience with the fake CAPTCHA has been long forgotten.”

Another vital part of the effort are the malicious traffic distribution systems (TDS), which redirect the victim to these landing pages.

Here is how it works: a commercial TDS redirects a victim to a malicious website that requires the person to “confirm they are human” by sending an SMS. When the victim taps the button, the page uses built-in mobile features to open the SMS app with the number and message already filled in. The numbers are leased by the attackers.

The process then continues, and each subsequent step asks for another “confirmation”, triggering multiple SMS messages to different numbers. In the process, the victims may end up sending as many as 60 SMS messages to 15 different numbers, raking up expenses of up to $30. It may not sound like much, but this is a game of large numbers - with thousands of users falling victim, the figures quickly add up.

The victims in this campaign are both the end users and the telecoms, Infoblox concluded. Users, for obvious reasons, and telecoms - by paying revenue share to the perpetrators, as well as by sorting out chargebacks and customer refund requests.

Defending against the scam is simple, however. “Unfortunately, it needs to be said,” Infoblox stressed. “Do not send a text to confirm you are human.”

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.