Cybersecurity researchers have uncovered a telecommunications fraud campaign that employs deceptive CAPTCHA verification methods to trick users into sending costly international text messages. This operation, active since at least June 2020, generates illicit revenue for the perpetrators by exploiting unsuspecting individuals.
Details of the Fraudulent Scheme
According to a report from Infoblox, the campaign has involved as many as 35 phone numbers across 17 countries. The fraudulent process begins when users are redirected to a fake webpage that presents a CAPTCHA challenge, instructing them to send an SMS to confirm their identity. Each interaction can lead to multiple SMS messages being sent, resulting in charges that can accumulate significantly over time.
Researchers David Brunsdon and Darby Wise noted that the fake CAPTCHA is designed to trigger a series of SMS messages, with victims potentially sending up to 60 messages to 15 different numbers after completing the CAPTCHA steps. This could lead to charges of around $30 for users, which may seem minor but can escalate when replicated across numerous victims.
Mechanics Behind the Scam
The campaign utilizes a combination of revenue share fraud and malicious traffic distribution systems (TDSs). By hijacking the SMS apps on both Android and iOS devices, the threat actors can pre-fill message content and phone numbers, making it easier for users to unknowingly send messages. The operation also employs cookie tracking to monitor user progression through the fake verification flow.
Additionally, the scammers implement back button hijacking techniques, which manipulate browser history to trap users in a navigation loop, preventing them from easily exiting the fraudulent page.
Impact on Victims and Telecom Providers
This operation affects both individual users and telecommunications carriers. Victims face unexpected charges on their bills, often struggling to identify the source of the fraud. Meanwhile, telecom providers incur losses from revenue share payments to the fraudsters, as well as customer disputes and chargebacks.
Keitaro TDS Misuse
In a related disclosure, Infoblox and Confiant detailed how the Keitaro TDS has been exploited for various malicious activities, including cryptocurrency theft and investment scams. Over 120 distinct campaigns have been linked to Keitaro, with significant DNS query activity associated with these operations. Following responsible disclosure, Keitaro has terminated multiple accounts involved in these fraudulent activities.
Infoblox emphasized that the combination of traditional investment fraud themes with modern technologies has enabled actors to launch large-scale and convincing cyber campaigns, particularly targeting cryptocurrency schemes.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
