Telecom fraud campaign uses fake CAPTCHAs to trick people into sending SMS to premium-rate numbers in 17 countries - 50+ international charges per victim

Infoblox documented a telecom fraud campaign active since June 2020 that uses fake CAPTCHA verification pages to trick mobile users into sending SMS to premium-rate numbers, racking up dozens of international charges per victim. The operation runs across 35 phone numbers in 17 countries with high-fee destinations like Azerbaijan and Kazakhstan. Each fake CAPTCHA pre-populates the SMS field with a dozen recipients - so one tap charges the victim for 50+ international texts. Charges show up on bills weeks later, long after the fake CAPTCHA is forgotten. A separate finding: 120+ campaigns abusing the legitimate Keitaro traffic-distribution tool to route victims into the same scams plus crypto wallet-drainers.

Check

Brief mobile-using staff that any 'CAPTCHA' asking them to send a text message is a scam, regardless of what brand or service the page claims to represent.

Affected

Mobile users in any region, particularly those who hit ad-tracker links from social media (Facebook ads were a primary entry point in the Keitaro variant). Corporate phones with international SMS allowed by default are at acute risk because charges may not appear until the next monthly bill cycle and may run into thousands of dollars.

Fix

On corporate mobile fleets, disable international SMS by default and enable only on request with a documented business reason - this stops the fraud at the carrier level. Audit recent corporate-phone bills for unexpected international SMS charges. Brief staff that real CAPTCHAs never ask for an SMS. Block known Keitaro TDS domains at the corporate DNS resolver.