{"id":13360,"date":"2026-04-23T05:55:49","date_gmt":"2026-04-23T12:55:49","guid":{"rendered":"https:\/\/www.infoblox.com\/blog\/?p=13360"},"modified":"2026-04-23T07:10:17","modified_gmt":"2026-04-23T14:10:17","slug":"hold-the-phone-international-revenue-share-fraud-driven-by-fake-captchas","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/hold-the-phone-international-revenue-share-fraud-driven-by-fake-captchas\/","title":{"rendered":"Hold the Phone! International Revenue Share Fraud Driven by Fake CAPTCHAs"},"content":{"rendered":"

Authors: David Brunsdon, Darby Wise<\/strong><\/p>\n

Executive Summary<\/h3>\n

CAPTCHAs, the mundane tasks where we demonstrate our ability to select bicycles or distinguish chihuahuas from blueberry muffins, are increasingly being weaponized to trick users into performing actions with unexpected consequences. Fake CAPTCHAs are commonly associated with ClickFix attacks but have also been leveraged in other kinds of campaigns, including those we’ve documented in our blog on malicious push notifications<\/a>. One way we’ve observed fake CAPTCHA pages used in campaigns is related to a telecommunications fraud scheme known as international revenue share fraud (IRSF).<\/p>\n

\"Image\"<\/p>\n

Over a year ago, we encountered a website employing an unusual technique for distinguishing humans from bot traffic: it required us to send SMS messages to proceed. Only more recently did we realize how these underreported scams work. When the user follows the instructions, the messages are sent internationally and result in charges on the victim’s phone bill, with a share of that revenue going to the actor who leases the phone numbers and operates the fake CAPTCHA site.<\/p>\n

Digging further, we found that this operation has existed since at least June 2020 and uses several tricks to ensnare victims, such as socially engineered lures and back button hijacking. During our research, we observed the use of 35 phone numbers spanning 17 countries, including those known to have high termination fees, such as Azerbaijan, Egypt, and Myanmar.<\/p>\n

The fake CAPTCHA has multiple steps, and each message crafted by the site is preconfigured with over a dozen phone numbers, meaning the victim isn’t charged for just a single message\u2014they’re charged for sending SMSs to over 50 international destinations<\/strong>. This type of scam also benefits from delayed billing, as the ‘international SMS’ charges often appear on the victim’s bill weeks later and the experience with the fake CAPTCHA has been long forgotten. In our experience, the process generated 60 SMS messages, which could cost a user $30; these are small amounts individually, but they could quickly add up for the threat actor.<\/p>\n

Our investigation revealed a sophisticated, multi-stage fraud operation that demonstrates the convergence of two critical threats: IRSF and malicious traffic distribution systems (TDSs). While telecom companies have long understood IRSF as a significant source of revenue loss, this research shows that TDS infrastructure, the same systems that direct users to scareware or malware, also funnels victims into SMS scams at scale. The TDS infrastructure enables precise victim targeting while obscuring the malicious landing pages from security researchers and automated detection systems.<\/p>\n

The campaigns also incorporate back button hijacking, wherein a site interferes with the browser\u2019s history and prevents users from returning to a previous “safe\u201d site when they hit the back button. Google recently announced a ban<\/a> on the use of the technique, calling it a malicious practice.<\/p>\n

This operation defrauds both individuals and telecommunication carriers simultaneously. Individual victims face unexpected premium SMS charges on their bills and would have difficulty identifying and reporting the fraud when it originates from such an unexpected source. Telecom carriers pay revenue share to the perpetrators while likely absorbing the losses from customer disputes or chargebacks. The TDS-driven distribution across multiple countries and phone numbers makes it nearly impossible for an individual carrier to see the full scope of the fraud affecting themselves and their customers, thereby allowing the operation to persist undetected across a fragmented regulatory landscape.<\/p>\n

And so, unfortunately, it needs to be said: Do not send a text to confirm you are human.<\/p>\n

On International Revenue Share Fraud<\/h3>\n

IRSF is a telecommunications fraud scheme<\/a> where criminals exploit the international call and SMS termination fee system to generate fraudulent revenue. When you send an international SMS, your carrier pays a termination fee to the destination country’s carrier to complete the connection, with rates that can cost pennies or much more, depending on the receiving country. In IRSF schemes, fraudsters register phone numbers in countries with high termination fees or lax regulations, like Azerbaijan, Kazakhstan, or certain premium-rate number ranges in Europe; and establish revenue-sharing agreements with local telecom providers.<\/p>\n

When victims are tricked into calling or sending SMS messages to these numbers, the fraudster receives a portion of the termination fee. IRSF is one of the most lucrative and persistent forms of telecom fraud globally. According to FTI Consulting’s 2025 Global Fraud Loss Report<\/a> for the Global Leaders Forum, artificially inflated traffic (AIT), which includes traffic generated through IRSF schemes, is the most financially damaging type of messaging fraud, with 50% of telecommunications carriers reporting high financial losses and 54% reporting high traffic volumes. With global fraud losses that are measured in billions annually, IRSF is a big deal.<\/p>\n

When encountering this scheme, the user will see a fake CAPTCHA and be prompted several times, with different CAPTCHA images, to send SMS messages. Figure 1 shows a partial sequence recorded on our research device in February 2025, and video of a full \u201cuser experience\u201d is here<\/a>.<\/p>\n

\n
\n\"Figure\n<\/div>\n
\n\"Figure\n<\/div>\n<\/div>\n
\n
\n\"Figure\n<\/div>\n
\n\"Figure\n<\/div>\n<\/div>\n

Figure 1. When a user encounters this IRSF actor, they will be taken through a series of fake CAPTCHAs, each requiring an SMS message to prove they are human. The images demonstrate a partial sequence of this experience. Source: Infoblox Threat Intel.<\/p>\n

Traversing the TDS<\/h3>\n

When confronted with a fake CAPTCHA page, you might ask yourself, \u2018How did I get here?\u2019. The answer is, quite likely, a traffic distribution system (TDS). Our regular readers will think: of course!<\/em><\/p>\n

In March 2026, we triggered this threat by visiting a lookalike domain to a major U.S. telecom company. From the lookalike domain, we were immediately redirected into a TDS (via colnsdital[.]com<\/span>) and were then passed to hotnow[.]sweeffg[.]online<\/span>, which we attribute with a high degree of confidence to a commercial TDS that is part of an affiliate advertising network based in Germany. From there, we were redirected to another TDS node, this one controlled by our SMS scam actor: zawsterris[.]com<\/span>. In other words, the SMS scam actor is an advertising affiliate of the commercial TDS operator. We have not studied this affiliate network in-depth, and we do not know if they are aware of the affiliates using their network for this kind of fraud.<\/p>\n

The next redirection was to the fake CAPTCHA page: d[.]ruelomamuy[.]com<\/span>. After completing the CAPTCHA process, the TDS sent us to megaplaylive[.]com<\/span>, another actor-controlled domain hosting gaming and video content that seems benign on the surface but is capable of continuing the scam. This redirect chain is shown in Figure 2, with the final three steps in red showing domains controlled by this SMS actor.<\/p>\n

\"Figure<\/p>\n

Figure 2. Initial observed redirection chain leading to fake a CAPTCHA page hosted on d[.]ruelomamuy[.]com<\/p>\n

Several observations allowed us to associate the TDS node zawsterris[.]com<\/span> to the SMS scam actor. The most notable one came through DNS: before hiding behind Cloudflare, zawsterris[.]com<\/span> briefly resolved to an IP on AS15699 (Adam Ecotech), which is the same infrastructure we’d already linked to this SMS fraud campaign. Table 1 shows hosting and registration information for the domains used in this redirection chain.<\/p>\n\n\n\n\n\n\n\n\n\n
Domain<\/strong><\/td>\nFunction<\/strong><\/td>\nIP ISP<\/strong><\/td>\nRegistrar<\/strong><\/td>\nAttribution<\/strong><\/td>\n<\/tr>\n
<telecom typosquat><\/td>\nEntry point<\/td>\nDigital Ocean<\/td>\nMedia Elite<\/td>\nUnknown<\/td>\n<\/tr>\n
colnsdital[.]com<\/span><\/td>\nTDS node<\/td>\nHetzner<\/td>\nNamesilo<\/td>\nUnknown<\/td>\n<\/tr>\n
hotnow[.]sweeffg[.]online<\/span><\/td>\nTDS node<\/td>\nInternap<\/td>\nGoDaddy<\/td>\nCommercial affiliate advertising network<\/td>\n<\/tr>\n
zawsterris[.]com<\/span><\/td>\nTDS node<\/td>\nCloudflare<\/td>\nGoDaddy<\/td>\nSMS scam actor<\/td>\n<\/tr>\n
d[.]ruelomamuy[.]com<\/span><\/td>\nLanding Page<\/td>\nCloudflare<\/td>\nGoDaddy<\/td>\nSMS scam actor<\/td>\n<\/tr>\n
megaplaylive[.]com<\/span><\/td>\nLanding Page<\/td>\nAdam Ecotech<\/td>\nGoDaddy<\/td>\nSMS scam actor<\/td>\n<\/tr>\n
Table 1. Domains used in the redirection chain<\/td>\n<\/tr>\n<\/table>\n

To monetize traffic in a TDS, tracking information needs to be passed along, and these details are typically put into the URL. Table 2 shows the parameters we observed during the commercial TDS stage of the redirection change, and Table 3 shows the parameters observed during the SMS scam portion.<\/p>\n\n\n\n\n\n
Campaign Parameter<\/strong><\/td>\nValue<\/strong><\/td>\n<\/tr>\n
utm_medium<\/td>\naa3e8d3009d94b9c89ac744b2be0687643493b0c<\/td>\n<\/tr>\n
utm_campaign<\/td>\nsweeffg<\/td>\n<\/tr>\n
Table 2. Commercial affiliate advertising network campaign parameters<\/td>\n<\/tr>\n<\/table>\n\n\n\n\n\n\n\n\n
SMS Scam Parameter<\/strong><\/td>\nValue<\/strong><\/td>\n<\/tr>\n
clientId<\/td>\n254<\/td>\n<\/tr>\n
productId<\/td>\n2001<\/td>\n<\/tr>\n
publisher_id<\/td>\n23188&MU1FFF<\/td>\n<\/tr>\n
af<\/td>\n5002320649344840<\/td>\n<\/tr>\n
groupds<\/td>\n166<\/td>\n<\/tr>\n
Table 3. SMS scam campaign parameters<\/td>\n<\/tr>\n<\/table>\n

The productId<\/strong> parameter was particularly interesting, as the value of 2001<\/strong> appears both here and in the cookie analysis as a value in the list of \u201cvalid_products.\u201d It implies that this landing page is one among many, and the campaign is much larger in scope than what we have observed.<\/p>\n

Technical Overview<\/h3>\n

The fake CAPTCHA’s mechanics are straightforward but deceptive. It leverages social engineering by mimicking familiar verification tasks such as animal identification and text recognition, while hiding a crucial requirement: users must send an SMS message to proceed. This design funnels traffic to phone numbers distributed across 17 countries.<\/p>\n

The CAPTCHA\u2019s level of difficulty seems intentionally trivial. The fraud doesn’t depend on challenge complexity; it depends on SMS volume. Each of the multi-stage verification steps triggers a separate message to the server-designated numbers. The codebase handles both iOS and Android platforms through sophisticated server-side control, orchestrating each user action via command-and-control (C2) infrastructure. At a high level, the operation is as follows:<\/p>\n

    \n
  1. User clicks any answer to a fake CAPTCHA question<\/li>\n
  2. JavaScript calls makeTrackerDownload.php<\/span> API endpoint<\/li>\n
  3. Server returns phone numbers, SMS message, and control parameters<\/li>\n
  4. JavaScript launches SMS app with pre-filled message and phone numbers<\/li>\n
  5. After 5 seconds, JavaScript decides next action based on server instructions<\/li>\n<\/ol>\n

    When the victim submits an answer to the fake CAPTCHA, their phone launches their messaging app with a preconfigured message and destinations comprising the entire list of phone numbers. The user would then just have to hit send. With four steps of CAPTCHA, and 15 numbers identified in this attempt, 60 SMS messages in total are sent<\/strong>, maximizing the actor\u2019s revenue across multiple countries and carriers.<\/p>\n

    There are four questions in the CAPTCHA process in step 1 above, which include asking for your device type (iOS or Android) and your network (3G, 4G, or WiFi). Each step triggers sending a message via SMS, which is prepopulated with the entire list of phone numbers received from the website. The DOM of the website also reveals the content of messages that are sent. Each message contains an {af}, for affiliate code, which is likely used to track the multiple campaigns that drive traffic to the site, and two contain {respuesta}, which is the answer for the question (\u201crespuesta\u201d is Spanish for response).<\/p>\n

    From the code:<\/p>\n

      \n
    1. sms1 = “I want to continue {af}”<\/li>\n
    2. sms2 = “The option I choose is {respuesta} {af}”<\/li>\n
    3. sms3 = “The option I choose is {respuesta} {af}”<\/li>\n
    4. sms4 = “Im not bot im real user {af}”<\/li>\n<\/ol>\n

      The control parameters mentioned in step 2 above allow dynamic updates to the operation to override default behavior. They include:<\/p>\n

        \n
      1. \u201cforceRedirectURL,\u201d which could function as either a kill-switch or a redirection to drive traffic to another page<\/li>\n
      2. \u201cforceMessage,\u201d which allows operators to change the SMS message without updating the HTML; this could be used to adapt to carrier filtering or language localization, among other possibilities<\/li>\n<\/ol>\n

        Back Button Hijacking<\/h4>\n

        In addition to SMS-based social engineering, this campaign employs a dedicated back button hijacking<\/a> mechanism to trap users on the fake CAPTCHA pages and increase the likelihood of SMS interaction. The dedicated JavaScript (see Figure 3), first observed in this campaign in January 2023, manipulates the user\u2019s browser history using the pushState() method, effectively neutralizing the browser\u2019s back button. When a user attempts to navigate away from the page via the back button, the script pushes the current page URL onto the history stack, logs the action to a server-side endpoint, and redirects the user back to the fake CAPTCHA page. This creates a navigation loop preventing the user from leaving the page without fully exiting the browser.<\/p>\n

        \"Figure<\/p>\n

        Figure 3. JavaScript for back button hijacking<\/p>\n

        Typically, the backlinkURL is the same as the URL the user is already on; however, in some cases, the value of the variable is set to a different URL hosting the same kind of scam page. Figure 4 shows an example for d[.]herbosfinx[.]com<\/span>. If a user in this case were to hit the back button, they would be redirected to a new CAPTCHA hosted on d[.]santafebuno[.]top<\/span>.<\/p>\n

        \"Figure<\/p>\n

        Figure 4. Code with backlink and log URL for d[.]herbosfinx[.]com. Source: urlscan.io<\/strong><\/a> <\/p>\n

        Terms of Service<\/h3>\n

        The operators of the scam aren\u2019t without their attempts at plausible deniability. At the bottom of the CAPTCHA pages is a form of legal fine print we often see with scams that attempt to deflect responsibility for the operation.<\/p>\n

        \"Figure<\/p>\n

        Figure 5. Text at the bottom of the CAPTCHA page<\/p>\n

        The disclaimer frames the CAPTCHA as a service exchange, then places the burden onto the victim to research pricing of international SMS. It does not state that there will be multiple SMS messages sent to over a dozen international destinations. The costs for the unreasonable number of SMS messages will be extraordinarily high due to the actor\u2019s curation of the most expensive destinations to increase their return. This type of disclaimer is not a disclosure: it\u2019s misdirection from the fact that the entire CAPTCHA process is fake.<\/p>\n

        Phone Number Analysis<\/h3>\n

        The website\u2019s DOM reveals how to retrieve the phone numbers used to drive the scam. Using a GET request observed in the code, we can craft a simple curl command to query the server and retrieve the phone numbers. Additionally, nested in the response is a key, \u201curlContent,\u201d which contains the destination to redirect the victim to, bundled with a base64 string within the URL. In our example, the decoded string contains 20 additional phone numbers, which after the completion of the CAPTCHA process, were passed within the redirection to the megaplaylive[.]com<\/span> domain.<\/p>\n

        Example curl command (safelinked, complete numbers redacted):<\/h4>\n

        curl -s ‘https:\/\/d[.]ruelomamuy[.]com\/makeTrackerDownload.php?a=WEBSMS&s=5002320649344849&c=US&groupds=138&caf=5002320649344849&origSms=I%20want%20to%20continue%205002320649344849&step=9’ | jq .<\/span><\/p>\n

        Response (safelinked):<\/h4>\n

        {
        \n “phoneNumbers”: “+9947764824XX;+31970391393XX;+31970391383XX;+4473560342XX;+2652229761XX;+324802180XX;+337576670XX;+417846132XX;+9592636943XX;+316352451XX;+324640995XX;+3937803063XX;+487802079XX;+9051026608XX;+347007503XX”,
        \n “os”: null,
        \n “urlContent”: “http:\/\/megaplaylive[.]com\/?enc=eyJwaG9uZU51bWJlcnMiOlsiKzIwMTAwNTc5NzQ1MiIsIisyMDEwMDQ5MzkxNzgiLCIrMjAxMDA1Nzk2Mzg5IiwiKzIwMTAwNDk1MTYyNiIsIisyMDEwMDU4MDMzNzkiLCIrMjAxMDA2MzQ4ODc5IiwiKzIwMTAwNDkzOTE0NSIsIisyMDEwMDUyMDk2NzYiLCIrMjAxMDA2MzQzOTk3IiwiKzIwMTAwNjM1MzY5MyIsIisyMDEwMDk0MDg1ODQiLCIrMjAxMDA1Nzk2Mzk5IiwiKzM4MDkyNzg4NTQ2MiIsIiszODA5MjI0MTg0MDQiLCIrNDQ3NDkwOTIwODEwIiwiKzQ2NzY2NzQ2NDUxIiwiKzQzNjcwMzA2ODEwNyIsIis3NzkwNTAwMDIyNSIsIiszMjQ2NzQ0MDQyNyIsIis0NDc4NDg1MDk0NDgiXSwiYWYiOiI1MDAyMzIwNjQ5MzQ0ODQ5IiwiZGV2IjpudWxsLCJ0eXBlIjoiZ2FtZXMiLCJsYW5nIjoiZW4iLCJsb2FkZXIiOmZhbHNlLCJjaWQiOm51bGwsInBpZCI6bnVsbH0=”,
        \n “codeAF”: “lfzmfSzw”
        \n}<\/span><\/p>\n

        From these commands we have two tiers of phone number lists. One is used in the CAPTCHA scheme (see Table 4), and the other is passed onwards to the \u2018game\u2019 site megaplaylive[.]com<\/span> (Table 5).<\/p>\n

        The phone numbers illustrate a global range of SMS destinations, spanning seventeen countries, including many locations known for having higher than average termination fees, such as the Netherlands, Myanmar, and Azerbaijan.<\/p>\n

        15 Tier 1 Phone Numbers (from a single fake CAPTCHA)<\/h4>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
        Number<\/strong><\/td>\nCountry<\/strong><\/td>\nCode<\/strong><\/td>\n<\/tr>\n
        9947764824XX<\/td>\nAzerbaijan<\/td>\n+994<\/td>\n<\/tr>\n
        31970391393XX<\/td>\nNetherlands<\/td>\n+31<\/td>\n<\/tr>\n
        31970391383XX<\/td>\nNetherlands<\/td>\n+31<\/td>\n<\/tr>\n
        4473560342XX<\/td>\nUK<\/td>\n+44<\/td>\n<\/tr>\n
        2652229761XX<\/td>\nMalawi<\/td>\n+265<\/td>\n<\/tr>\n
        324802180XX<\/td>\nBelgium<\/td>\n+32<\/td>\n<\/tr>\n
        337576670XX<\/td>\nFrance<\/td>\n+33<\/td>\n<\/tr>\n
        417846132XX<\/td>\nSwitzerland<\/td>\n+41<\/td>\n<\/tr>\n
        9592636943XX<\/td>\nMyanmar<\/td>\n+95<\/td>\n<\/tr>\n
        316352451XX<\/td>\nNetherlands<\/td>\n+31<\/td>\n<\/tr>\n
        324640995XX<\/td>\nBelgium<\/td>\n+32<\/td>\n<\/tr>\n
        3937803063XX<\/td>\nItaly<\/td>\n+39<\/td>\n<\/tr>\n
        487802079XX<\/td>\nPoland<\/td>\n+48<\/td>\n<\/tr>\n
        9051026608XX<\/td>\nTurkey<\/td>\n+90<\/td>\n<\/tr>\n
        347007503XX<\/td>\nSpain<\/td>\n+34<\/td>\n<\/tr>\n
        Table 4. List of phone numbers used in CAPTCHA scheme<\/td>\n<\/tr>\n<\/table>\n

        20 Tier 2 Phone Numbers (passed to megaplaylive[.]com<\/span>)<\/h4>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
        Number<\/strong><\/td>\nCountry<\/strong><\/td>\nCode<\/strong><\/td>\n<\/tr>\n
        2010057974XX<\/td>\nEgypt<\/td>\n+20<\/td>\n<\/tr>\n
        2010049391XX<\/td>\nEgypt<\/td>\n+20<\/td>\n<\/tr>\n
        2010057963XX<\/td>\nEgypt<\/td>\n+20<\/td>\n<\/tr>\n
        2010049516XX<\/td>\nEgypt<\/td>\n+20<\/td>\n<\/tr>\n
        2010058033XX<\/td>\nEgypt<\/td>\n+20<\/td>\n<\/tr>\n
        2010063488XX<\/td>\nEgypt<\/td>\n+20<\/td>\n<\/tr>\n
        2010049391XX<\/td>\nEgypt<\/td>\n+20<\/td>\n<\/tr>\n
        2010052096XX<\/td>\nEgypt<\/td>\n+20<\/td>\n<\/tr>\n
        2010063439XX<\/td>\nEgypt<\/td>\n+20<\/td>\n<\/tr>\n
        2010063536XX<\/td>\nEgypt<\/td>\n+20<\/td>\n<\/tr>\n
        2010094085XX<\/td>\nEgypt<\/td>\n+20<\/td>\n<\/tr>\n
        2010057963XX<\/td>\nEgypt<\/td>\n+20<\/td>\n<\/tr>\n
        3809278854XX<\/td>\nUkraine<\/td>\n+380<\/td>\n<\/tr>\n
        3809224184XX<\/td>\nUkraine<\/td>\n+380<\/td>\n<\/tr>\n
        4474909208XX<\/td>\nUK<\/td>\n+44<\/td>\n<\/tr>\n
        467667464XX<\/td>\nSweden<\/td>\n+46<\/td>\n<\/tr>\n
        4367030681XX<\/td>\nAustria<\/td>\n+43<\/td>\n<\/tr>\n
        779050002XX<\/td>\nKazakhstan<\/td>\n+7<\/td>\n<\/tr>\n
        324674404XX<\/td>\nBelgium<\/td>\n+32<\/td>\n<\/tr>\n
        4478485094XX<\/td>\nUK<\/td>\n+44<\/td>\n<\/tr>\n
        Table 5. Phone numbers used passed to game site<\/td>\n<\/tr>\n<\/table>\n

        After completing the fake CAPTCHA, the victim is redirected to megaplaylive[.]com<\/span>, which seems to only exist for the purpose of this operation, and like many of the domains mentioned in this article, is hosted on AS15699 (Adam EcoTech). As demonstrated with URLScan, the page cannot be accessed directly<\/a> by visiting the second-level domain (SLD) megaplaylive[.]com<\/span>. We observed an example of the fake CAPTCHA process leading to megaplaylive[.]com<\/span> on the online sandbox tool ANY.RUN.<\/a><\/p>\n

        It wasn\u2019t until we researched the domain thoroughly that we uncovered the \u2018contentType\u2019 parameter, which when set to \u2018sexy\u2019 revealed the continuation of the SMS scam. With the correct settings, we could access a page where the code demonstrated how each click of \u2018play\u2019 on an adult video would launch another SMS message configured with 20 international recipients. The \u2018sexy\u2019 (their word) version of megaplaylive loads JavaScript<\/a> that controls this portion of the operation.<\/p>\n

        DNS Patterns<\/h3>\n

        The actor hosts the fake CAPTCHA pages in this campaign on both SLDs and various subdomains of these SLDs. SLDs can vary but most follow one of two patterns shown in Table 6. Subdomains include cd<\/span>, chat<\/span>, click<\/span>, d<\/span>, r<\/span>, raffles<\/span>, v<\/span>, vids<\/span>, etc., with d<\/span> and r<\/span> used most frequently.<\/p>\n\n\n\n\n\n
        Domain Pattern<\/strong><\/td>\nExamples<\/strong><\/td>\n<\/tr>\n
        RDGA-generated domains featuring repeated words\/strings (typically used in two or three domains) mixed with other random words or characters<\/td>\npanzozerrot<\/strong>[.]com \/ zerrot<\/strong>mamil[.]com
        \n remotesbuffalo<\/strong>[.]top \/ buffalo<\/strong>solpe[.]top
        \n vistertransit<\/strong>[.]com \/ transit<\/strong>caxip[.]com
        \n fufecarrol<\/strong>[.]top \/ carrol<\/strong>vassin[.]top<\/td>\n<\/tr>\n
        Domains\/subdomains featuring content themes, e.g., win, chat, tips, vids.<\/td>\nvids[.]chatorizon[.]com<\/span>
        \n chat[.]matchnewtoday[.]com<\/span>
        \n claimandwins[.]com<\/span>
        \n 4lifetips[.]com<\/span><\/td>\n<\/tr>\n
        Table 6. Domain patterns used in CAPTCHA campaign<\/td>\n<\/tr>\n<\/table>\n

        DNS analysis shows most domains and subdomains used in this campaign have consistently resolved to a small set of dedicated IP addresses on an ASN based in Spain (AS15699 Adam EcoTech, S.A.) since the first observed CAPTCHA page in June 2020.<\/p>\n

        Domains are registered using NameSilo or GoDaddy and use DNS Made Easy (DME) and DigiCert nameservers. Some domains following the web content theme (chat, tips, giveaway, etc.) have been seen using dedicated name servers.<\/p>\n

        During this investigation, we repeatedly observed references to an affiliate advertising network based in Europe. We have not studied this company in-depth, and we do not know if they are aware of the use of their network for IRSF fraud. The company\u2019s website claims they are \u201cthe greatest company for Click2SMS\u201d and that they offer carrier billing with \u201call kinds of traffic allowed.\u201d Click2SMS is an affiliate marketing model that generates revenue through carrier billing by prompting mobile users to send an SMS message to a designated number(s) through a single click. Based on the name servers and other technical supporting information, we are confident that the threat actor we observed is an affiliate of this Click2SMS network.<\/p>\n

        Mentions of the company name and Click2SMS can be seen in website code, in registration and hosting information for some of the domains, and even in dedicated cookies these domains use for tracking. The company\u2019s origins are also similar to many other elements in this campaign, including the language of the code, as well as the IP space used to host the CAPTCHA pages and the nameservers of the gaming\/adult content domains.<\/p>\n

        The company was referenced in the megaplaylive[.]com<\/span> website code related to the push notification service it employs. For years, Infoblox Threat Intel has reported on cases where actors use push notifications to establish persistence on a victim\u2019s device, and that is again likely the case here. If a victim were to allow push notifications, the operator of the service would gain the ability to drive notifications to the device, directing the victim to return to the site for new content, or send them elsewhere to other scams.<\/p>\n

        Cookie Analysis<\/h3>\n

        Similar to other adtech and TDS operations, this campaign relies heavily on browser cookies to track user and campaign attributes, as well as dynamically control traffic flow. These cookies store contextual information such as user geolocation, language, internet service provider (ISP), etc. Additional cookie values track progression through the multi-stage verification flow, enforce step limits, and even set a rate of probable success of the campaign, allowing operators to filter non-optimal users. The fake CAPTCHA pages have set the same three to four seemingly dedicated tracking cookies since the beginning of this campaign in June 2020, including cookies mentioning tracking and c2s<\/span>, likely referring to Click2SMS. Table 7 below shows an example of one of the decoded cookie values.<\/p>\n

        \n
        \n{\u201cisp\u201d:\u201d<redacted>\u201d,usa\u201d,\u201dcountry\u201d:\u201dUS\u201d,\u201dlang\u201d:\u201den\u201d,\u201dclientId\u201d:\u201d248\u2033,\u201doperator\u201d:\u201d<redacted>\u201d,\u201daction\u201d:null,\u201dvalid_products\u201d:[1414,1415,1416,1417,1418,1422,2841,2842,2843,1732,1896,1897,2822,2823,2834,1898,1899,1904,2563,1870,1981,1831,1814,2791,2798,2793,2800,2661,2666,1907,2665,2670,2790,2797,2845,2664,2669,2663,2668,2794,2801,2792,2799,1676,2795,2802,2796,2803,1829,1815,2662,2667,1847,1722,1738,1749,1748,1874,1843,1724,1827,1718,1872,1913,1970,2807,2812,2805,2810,2804,2809,1717,2024,2806,2811,2816,2808,2813,1727,2838,1909,1825,1750,2562,1849,1721,1863,1747,1853,1720,1971,1768,1767,1857,1855,2774,1902,2829,2828,1697,1763,1839,1764,1845,1723,2839,1968,1972,1769,1716,1728,2781,1726,1725,1835,1711,1851,1719,1841,1741,2780,1911,2001,1861,1859,1837,1733,1715,1900,1766,2833,1823,1821,2840,1765,1964,1963,1890,1889,1892,1891,1680,1967,1966,2509,2508,1868,2510,2513,1866,1975,2511,2514,2512,2515,1710,2771,2772,2773,2827,2824,2826,2825,1713,1714,1983,1969,1988,2071,1658,1657,1977,1591,1592,1593,1594,1595,1596,1974,1997,1752,1411,1706,1701,1665,1405,1404,1406,1503,1502,1504,1505,1908,1943,1942,1702,1547,1635,1627,1628,1629,1630,1631,1632,1633,1675,1941,1940,1906,2609,1616,1744,1705,1672,1667,2072,1699,1673,1599,1481,2250,1651,1662,1650,1654,1656,1655,1647,1648,1649,1660,1663,2028,1668,1666,1408,1407,1409,2023,1597,1659,1559,2070,1598,1536,1540,1652,1653,1901,1987,1637,1674,1537,1538,1539,1961,1413,1420,1421,1412,1499,1679,1696,1483,1661,1579,1484,1570,1553,1581,1490,1546,1580,1485,1550,1569,1486,1541,1712,1833,1803,1482,1636,1487,1551,1556,1568,1535,1488,1554,1552,1555,1489,1340,1460,1366,1367,1368,1341,1342,1449,1450,1451,1369,1370,1371,1372,1373,1425,1423,1424,1343,1344,1345,1354,1617,1626,1618,1619,1620,1621,1622,1623,1624,1625,1664,2002],\u201dinvalid_product\u201d:null,\u201dsuccessRate\u201d:0}<\/span><\/p>\n

        Table 7. Decoded cookie value set by d[.]marraheltin[.]com<\/span><\/p>\n<\/div>\n<\/div>\n

        We observed the success rate value stored in the cookie value being actively used by the fake CAPTCHA page\u2019s client\u2011side code to determine the user\u2019s next action based on their suitability for the campaign, as shown in Figure 6.<\/p>\n

        \"Figure<\/p>\n

        Figure 6. Code used to redirect non-targeted users to other fake CAPTCHA pages<\/p>\n

        When the user is on the first step of the CAPTCHA flow, the code evaluates a pre-calculated successRate value stored in the cookie containing data on the user. If the user is deemed a non-ideal candidate for the campaign, the page redirects them to an alternate URL defined by the externOffer variable, which points to a new fake CAPTCHA page. The differences in hosting and registration patterns of the SLDs set in the externOffer variables, along with stylistic differences in the CAPTCHA pages, indicate these may be part of a separate campaign or controlled by a different actor. Figure 7 shows an example of these new pages impersonating Lush, a legitimate cosmetics company (don\u2019t miss the time-pressure tactic: don\u2019t let robots claim the bath bomb\u2014complete the form!). The externOffer value for this page is set to:<\/p>\n

        hXXps:\/\/verifysuper[.]com\/cl\/i\/wopmej?aff_sub4=5002320649344849&aff_sub5=US<\/span><\/p>\n

        \"Figure<\/p>\n

        Figure 7. externOffer fake CAPTCHA page impersonating Lush Cosmetics and hosted on verifysuper[.]com. Source: urlscan.io<\/strong><\/a><\/p>\n

        SMS: Another Drop in the Scam Bucket<\/h3>\n

        This research represents one operation we were able to thoroughly document; however, the history of the domains, the application of affiliate codes, and international telecom and TDS infrastructure suggest that it is not unique, but rather part of a broader ecosystem. Visiting a typosquat domain of a major telecom brand is what originally initiated this investigation, and that led us to an international revenue sharing fraud scheme that seems to have gone underreported for years\u2014one that creates victims of both individuals and telecoms. Our findings here add to our years of research showing that the malicious use of TDSs is one of the most significant threats on the internet today, and brings attention to a new lesson: avoiding pop-ups, spoofed pages, and compromised sites isn\u2019t enough to stay safe: don\u2019t send texts to confirm you are human either.<\/p>\n

        Indicators<\/h3>\n

        A curated selection of indicators related to the threats discussed can be seen in the table below. A more comprehensive list of indicators can be found in our GitHub repository<\/a>.<\/p>\n

        Note: Some domains\/hostnames listed below may no longer be active or used in this campaign.<\/em><\/p>\n\n\n\n\n\n\n\n\n\n
        Indicators<\/strong><\/td>\nDescription<\/strong><\/td>\n<\/tr>\n
        colnsdital[.]com<\/span><\/td>\nTDS domain leading to fake CAPTCHA page<\/td>\n<\/tr>\n
        hotnow[.]sweeffg[.]online<\/span><\/td>\nCommercial TDS hostname<\/td>\n<\/tr>\n
        zawsterris[.]com<\/span><\/td>\nSMS-actor controlled TDS domain<\/td>\n<\/tr>\n
        megaplaylive[.]com<\/span>
        chat[.]matchnewtoday[.]com<\/span>
        vids[.]chatorizon[.]com<\/span><\/td>\n        		SMS actor-controlled domains hosting fake gaming, chat, and video content<\/td>\n<\/tr>\n
        d[.]fufecarrol[.]top<\/span>
        d[.]herbosfinx[.]com<\/span>
        d[.]marraheltin[.]com<\/span>
        d[.]panzozerrot[.]com<\/span>
        d[.]remotesbuffalo[.]top<\/span>
        d[.]ruelomamuy[.]com<\/span>
        d[.]santafebuno[.]top<\/span>
        d[.]vistertransit[.]com<\/span>
        d[.]zerrotmamil[.]com<\/span>
        r[.]buffalosolpe[.]top<\/span>
        r[.]carrolvassin[.]top<\/span>
        r[.]transitcaxip[.]com<\/span><\/td>\n        		SMS actor-controlled domains actively hosting fake CAPTCHA pages<\/td>\n<\/tr>\n
        claimandwins[.]com 4lifetips[.]com<\/span><\/td>\nDomains hosting older versions of the fake CAPTCHA\/download pages<\/td>\n<\/tr>\n
        verifysuper[.]com<\/span><\/td>\nexternOffer domain hosting fake CAPTCHA pages<\/td>\n<\/tr>\n<\/table>\n