Cybersecurity researchers have revealed details of a telecom fraud campaign that uses fake CAPTCHA verification tricks to trick unsuspecting users into sending international text messages, charging them to their cell phone bills and generating illegal revenue for attackers who lease phone numbers.
The operation is believed to have been active since at least June 2020, using techniques such as social engineering and web browser back button hijacking, according to a new report published by Infoblox. As many as 35 phone numbers across 17 countries have been observed as part of the International Revenue Sharing Fraud (IRSF) campaign.
Researchers David Brunsdon and Darby Wise said in their analysis: “The fake CAPTCHA has multiple steps, and each message created by the site is pre-populated with more than a dozen phone numbers. This means that rather than victims being charged for a single message, they are charged for sending an SMS to more than 50 international destinations.”
“This type of fraud also benefits from billing delays, as ‘international SMS’ charges often appear on victims’ bills weeks later, and the fake CAPTCHA experience is long forgotten.”
What makes this threat notable is the combination of revenue sharing fraud and a malicious traffic distribution system (TDS). This infrastructure, traditionally responsible for routing traffic to malware and phishing pages through redirect chains to evade detection, is being used to carry out large-scale SMS fraud.
IRSF schemes involve fraudsters illegally acquiring international premium rate numbers (IPRNs) or number ranges, artificially inflating the volume of international calls or messages to those numbers, and receiving a portion of the revenue generated from the call charges that the number range holder receives for incoming traffic to the number range.
In this context, termination charges refer to inter-carrier charges paid by the originating carrier to the terminating carrier to complete a call on the network. IRSF is driven by the abuse of these “revenue-sharing” arrangements, where the originating carrier ends up paying a termination fee to the destination network for calls to high-value destinations, a portion of which is split 50-50 with the fraudster.
According to Infoblox, the campaigns observed specifically register phone numbers from countries with high cancellation fees and weak regulations, such as Azerbaijan, Kazakhstan, or certain premium number ranges in Europe, and collude with local telecom providers to carry out the fraud.
The entire campaign will unfold as follows. Users are redirected to a fake web page using a commercial TDS and provide a CAPTCHA that instructs them to send an SMS to “verify that you are a human”. This triggers a multi-step “verification” chain, with each step triggering a separate SMS message to the number specified by the server by programmatically launching an SMS app on both Android and iOS devices pre-filled with the phone number and message content.
In the process, up to 60 SMS messages are sent to 15 unique numbers after going through four CAPTCHA steps, potentially costing the user $30 in the end. While this amount may be relatively small, the DNS threat intelligence firm warned that it could quickly add up for threat actors if performed at scale. The list of phone numbers spans 17 countries including Azerbaijan, Netherlands, Belgium, Poland, Spain, and Turkey.
This campaign relies heavily on cookies to track the progress of the fake verification flow, using the values stored in certain cookies (e.g. ‘successRate’) to determine the next action. If the user is deemed ineligible for the campaign, the page is designed to redirect the user to an entirely different CAPTCHA page, likely part of another campaign or controlled by another attacker.
Another new strategy employed by scammers is the use of back button hijacking. It relies on JavaScript to modify browsing history, and when a site visitor attempts to navigate away from a CAPTCHA page by pressing the browser’s back button, it redirects the user to a fake page, effectively trapping the user in a navigation loop unless they choose to exit the browser completely.
“This operation defrauds both individuals and carriers at the same time. Individual victims face unexpectedly high SMS charges on their bills, and fraud will be difficult to identify and report when it comes from such an unexpected source,” Infoblox concluded. “Carriers are likely to pay revenue sharing to perpetrators while absorbing losses from customer disputes and chargebacks.”
How threat actors exploit Keitaro TDS
This disclosure indicates that the company, in collaboration with Confiant, has announced that Keitaro TDS (also known as Keitaro TDS) This comes after Tracker published a three-part analysis detailing how they are being exploited by a wide range of threat actors for malicious activities, including the distribution of malware, theft of cryptocurrencies, and investment scams that claim to use artificial intelligence (AI) to automate transactions and promise huge profits, in some cases by acquiring stolen or cracked licenses (as in the case of TA2726).
The scams use Facebook ads to drive victims to fraudulent AI-powered platforms and, in some cases, resort to fabricating celebrity endorsements through fake news articles and deepfake videos to promote investment schemes. The use of synthetic videos is believed to be by a threat actor known as FaiKast.
“Keitaro is first and foremost a self-hosted ad performance tracker designed to conditionally route visitors using flows,” the companies said. “Threat actors reuse this mechanism to transform the Keitaro server into an all-in-one tool that acts as a traffic distribution system, tracker, and cloaking layer.”
Over a four-month period from October 2025 to January 2026, over 120 different campaigns in total exploited Keitaro’s TDS for link distribution. Infoblox noted that its customers logged approximately 226,000 DNS queries across 13,500 domains related to Keitaro-related activity during the period. Following responsible disclosure, Keitaro stepped in to cancel more than a dozen accounts associated with these activities.
Infoblox and Confiant said, “By combining an old but highly effective investment fraud theme with modern AI technology, attackers were able to launch a large-scale and highly convincing cyber campaign.” “Approximately 96% of the spam traffic linked to Keitaro was facilitating cryptocurrency wallet draining schemes via fake airdrops/giveaway lures primarily centered around AURA, SOL (Solana token), Phantom (wallet), and Jupiter (DEX/aggregator).”
Source link
