Scammers are using fake CAPTCHA pages to fool gullible users into sending text messages to international destinations, costing them a lot of money.
According to cybersecurity firm Infoblox, unsuspecting people who fall for this trap are left with high phone bills.
Researchers found that scammers used at least 35 phone numbers across 17 countries known for high termination fees, including Azerbaijan, Egypt, and Myanmar.
Victims aren’t just charged one expensive text message – instead, they’re being billed for over 50 international destinations.
“These are small amounts individually, but they could quickly add up for the threat actor,” the cybersecurity firm states.
Security researchers tracked this particular CAPTCHA scam to map the attack chain. Most of the time, the attack begins when someone accidentally visits a domain that contains a typo. This is very deceptive because the page mimics real brands.
Without realizing it, a victim steps into a sophisticated, multi-stage fraud operation.
First, the user is asked to solve several fake CAPTCHAs. Instead of selecting, for example, bicycles or buses, the victim is asked to answer simple questions about their device’s operating system or network speed.
Here’s the catch: every time a user clicks an answer, a JavaScript function called makeTrackerDownload.php is triggered, forcing the victim’s phone to open its text message app with a pre-filled message. This message is sent to a bunch of international phone numbers.
After only four CAPTCHAs, researchers discovered that 60 text messages were sent to 15 costly phone numbers.
In addition to text-based social engineering, researchers say this campaign employs a dedicated back-button hijacking mechanism to trap users on the fake CAPTCHA pages, increasing the likelihood of further text message interaction.
A dedicated JavaScript is used to manipulate the user’s browser history. Instead of going to the previous page, the JavaScript pushes the current page URL onto the history stack, trapping the victim in an endless loop of solving fake CAPTCHAs without ever exiting the browser. Simply put, the script refreshes the scam page.
Google recently pushed an update that took care of back button hijacking.
The researchers claim this particular scam can charge a victim up to $30 or more per session. International text messages often appear on the victim’s bill weeks later, and the experience with the fake CAPTCHA has long been forgotten.
“Our findings here add to our years of research showing that the malicious use of TDSs [traffic distribution systems, ed.] is one of the most significant threats on the internet today, and brings attention to a new lesson: avoiding pop-ups, spoofed pages, and compromised sites isn’t enough to stay safe: don’t send texts to confirm you are human either,” Infoblox concludes.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked