Researchers have documented a long‑running campaign that uses fake CAPTCHA pages to trick mobile users into sending dozens of international SMS messages in the background.
If you’ve spent any time on today’s web, CAPTCHAs may seem like background noise: click a few traffic lights, prove you’re human, move on. Something scammers have learned to abuse in ClickFix campaigns where they lure victims into infecting their own machines.
Recently, though, researchers found a twist where “prove you’re human” quietly turns into “run up an international phone bill.” The research describes an International Revenue Share Fraud (IRSF) campaign. IRSF, also known as SMS pumping fraud, abuses the complex pricing structures of international calls and SMS traffic to generate revenue by inflating message volume to particular destinations.
Instead of installing malware on the victim’s device, the scam exploits how telecom billing and affiliate networks work, turning ordinary web traffic into premium SMS revenue for cybercriminals.
How it works
A typical flow for the scam looks like this:
- Victims arrive via malvertising or TDS redirects, often from typosquatted telecom domains, onto a page that looks like a basic image‑selection or quiz CAPTCHA.
- To “continue,” they’re prompted to tap a button that opens their SMS app with a prefilled message and recipient list.
- This isn’t one SMS to one number. The fake CAPTCHA runs through multiple steps, and each message is preconfigured with more than a dozen international numbers across 17 countries known for high termination fees, including Azerbaijan, Myanmar, and Egypt.
On a typical consumer plan, that can translate to roughly $30 in international SMS charges per person, with a slice of the termination fees flowing back to the attacker via revenue‑sharing agreements.
To keep you from simply backing out, the pages deploy dedicated back‑button hijacking. JavaScript rewrites browser history and bounces you back to the scam when you try to leave. The researchers also found the campaign was plugged into a Click2SMS‑style affiliate network that advertises “all kinds of traffic allowed” and carrier billing, effectively packaging IRSF as another monetization option for shady publishers.
This operation defrauds both individuals and telecom carriers. Victims face unexpected premium SMS charges on their bills and may struggle to trace the cause. Carriers pay revenue shares to the perpetrators and may absorb losses from customer disputes or chargebacks.
Mobile protection, anywhere, anytime.
How to protect yourself
Never send an SMS to “prove you’re human.” Legitimate CAPTCHAs run entirely in your browser. They won’t open your SMS or dialer app.
Check your mobile bill regularly for small, unfamiliar international SMS charges, not just big spikes. If you see anything suspicious, dispute it quickly and ask your provider to block international or premium SMS if you don’t need it.
Use a mobile protection app that blocks known malicious sites, like these domains involved in this campaign:
sweeffg[.]onlinecolnsdital[.]comzawsterris[.]commegaplaylive[.]comruelomamuy[.]com
![Malwarebytes blocks ruelomamuy[.]com](https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/04/ruelomamuycomblock.png)
Scammers know more about you than you think.
Malwarebytes Mobile Security protects you from phishing, scam texts, malicious sites, and more. With real-time AI-powered Scam Guard built right in.
Download for iOS → Download for Android →
