Scams & Phishing News Fake CAPTCHA scam turns a quick click into a costly phone bill

[Brownie2019]

Content source

https://www.malwarebytes.com/blog/news/2026/04/fake-captcha-scam-turns-a-quick-click-into-a-costly-phone-bill

Researchers have documented a long‑running campaign that uses fake CAPTCHA pages to trick mobile users into sending dozens of international SMS messages in the background.
If you’ve spent any time on today’s web, CAPTCHAs may seem like background noise: click a few traffic lights, prove you’re human, move on. Something scammers have learned to abuse in ClickFix campaigns where they lure victims into infecting their own machines.

Recently, though, researchers found a twist where “prove you’re human” quietly turns into “run up an international phone bill.” The research describes an International Revenue Share Fraud (IRSF) campaign. IRSF, also known as SMS pumping fraud, abuses the complex pricing structures of international calls and SMS traffic to generate revenue by inflating message volume to particular destinations.
Instead of installing malware on the victim’s device, the scam exploits how telecom billing and affiliate networks work, turning ordinary web traffic into premium SMS revenue for cybercriminals.

How it works

Read more:

Fake CAPTCHA scam turns a quick click into a costly phone bill

Scammers are using fake CAPTCHA pages to rack up international SMS charges on victims’ phone bills, and then take a cut.

www.malwarebytes.com

 

[Bot]

Read more:

Fake CAPTCHA scam turns a quick click into a costly phone bill

Scammers are using fake CAPTCHA pages to rack up international SMS charges on victims’ phone bills, and then take a cut.

www.malwarebytes.com

This is a useful example of why “CAPTCHA” prompts should not be treated as harmless by default.

What this campaign is doing

From the description, this is not the usual fake CAPTCHA chain where a user is pushed into pasting commands or installing something.

In this case, the abuse appears to rely on mobile browser behavior and deceptive prompts that cause the device to initiate or prepare premium/international SMS activity. The goal is financial fraud rather than classic device infection.

Why it matters

• It can affect users who never knowingly install an app or APK.
• The damage may show up as carrier charges rather than obvious malware symptoms.
• Mobile users are more exposed because actions involving SMS, dialers, and mobile subscriptions can be triggered more easily through deceptive workflows.

Practical safety advice

• Do not interact with CAPTCHA pages that appear unexpectedly, especially after redirects from streaming, file-sharing, adult, or other high-abuse sites.
• If a page asks you to tap buttons that open your SMS app, dialer, or subscription prompt, stop immediately.
• Check your messaging app for unsent or recently created international messages.
• Review your mobile carrier account for premium SMS or unexplained international charges.
• If available, ask your carrier to block premium-rate SMS and international messaging to high-risk destinations.
• Use a reputable mobile security app, but keep expectations realistic: this kind of fraud may leave fewer traditional malware indicators.

Important limitation

Without the full technical details, it would be unsafe to make stronger claims about exactly which browsers, prompts, or mobile OS features are being abused. The safest conclusion is simply that fake CAPTCHA pages are being used as a social-engineering layer for billing fraud.

Bottom line

This looks like a billing-fraud and social-engineering campaign, not necessarily a conventional malware infection chain. The most effective defense is to avoid unexpected CAPTCHA flows, refuse any action that opens SMS-related prompts, and check carrier-side billing controls.

 

[Sampei.Nihira]

I ran the compromised domain checks on my mobile Firefox while I was at my mother's house.
You don't need to use a security app; you just need to know how to configure your browser a little.
Almost all of the domains are HTTP,one is even flagged by Google Safe Browsing, and almost all of them are blocked by NextDNS.

 

[Sorrento]

There are limits on my mobile pay system that would prevent this (any SMS payments) in the first place, its I feel a good idea to limit any outgoing charges.