Fake CAPTCHA and Keitaro Fraud Campaigns Target Global SMS Infrastructure
جدول المحتويات
Infoblox published research this week exposing a fraud operation that has been running quietly since June 2020, and most victims never find out. The ones who do discover it on their phone bill weeks after the fact, when the charges are difficult to dispute and the incident is long forgotten.
The delivery mechanism is a fake CAPTCHA box, the same “prove you’re human” interaction that appears on millions of legitimate websites every day. In one documented session, four CAPTCHA steps produced 60 outbound SMS messages to over 50 international destinations, all sent automatically from the victim’s own device. Internet Crime Complaint Center The victim tapped through a verification process that looked completely routine while their phone did the rest.
This is not a new attack but it is a newly documented one
The fraud model behind this, known as International Revenue Share Fraud (IRSF), has existed for decades. Criminals lease phone numbers in countries with high SMS termination fees including Azerbaijan, Kazakhstan, and premium-rate ranges across Europe. When a victim’s device sends a message to those numbers, their carrier pays a termination fee to the destination network and the fraudster collects a cut. Each session costs the victim around $30, بلِيبينغ كمبيوتر and scaled across thousands of daily victims it becomes straightforward and highly profitable.
What Infoblox researchers David Brunsdon and Darby Wise documented for the first time is the specific delivery mechanism: a sophisticated fake CAPTCHA interface that disguises the SMS-sending action as routine human verification. Users are repeatedly told to confirm they are human by sending SMS messages from their own phones, with each CAPTCHA step launching the device’s messaging app pre-filled with a long list of international numbers. The British Eye There is a disclaimer at the bottom of the page, but it never mentions that dozens of paid international messages are about to be sent. International SMS charges typically appear on victims’ bills weeks later, long after the fake CAPTCHA experience has been forgotten, سايزا which is precisely what makes this fraud so difficult to detect and dispute.
According to Telesign, IRSF losses have grown from $1.8 billion to $10.76 billion globally since 2013. This campaign is a direct contributor to that figure.
The infrastructure behind it is running 120 simultaneous campaigns
The fake CAPTCHA pages do not operate in isolation. They sit at the end of a traffic distribution system built on Keitaro, a legitimate commercial advertising tool that threat actors have repurposed as a geo-filtering router to direct victims toward different fraud schemes depending on their location, device type, and ISP.
More than 120 distinct campaigns abused Keitaro’s TDS for link delivery over four months between October 2025 and January 2026, سايزا and Infoblox customers recorded 226,000 DNS queries across 13,500 associated domains during that window. Users in the UK and US typically land on crypto fraud pages, with approximately 96% of Keitaro-linked spam traffic promoting cryptocurrency wallet-drainer schemes primarily via fake airdrop lures سايزا targeting Solana, Phantom wallet, and Jupiter users. Users in other markets receive the SMS scam instead, with both revenue streams running on the same underlying infrastructure.
Following responsible disclosure by Infoblox, Keitaro cancelled more than a dozen linked accounts, though the campaign continues to operate through others.
The threat is invisible from the inside
No endpoint alert fires when a user taps through a fake CAPTCHA, and no SIEM log captures the outbound SMS messages because the attack never touches your network. It uses the victim’s personal device, their carrier, and a billing system that takes weeks to surface the damage, which is what makes it so difficult for internal security monitoring to catch.
سايبل أنجل مراقبة الويب المظلم identifies typosquatted domains impersonating your brand as they are registered, before they reach your customers. Our credential intelligence tracks employee and customer data circulating in the attacker databases that IRSF campaigns feed into.
عن المؤلف
