Executive Summary
This report explains how a coordinated fraud operation uses fake CAPTCHA pages to generate international revenue share fraud (IRSF) by forcing users to send bulk SMS messages to phone numbers across multiple high‑fee countries. The scheme is executed through a traffic distribution system (TDS) that delivers victims to the fake CAPTCHA, then to a secondary landing page that continues the SMS spam chain. The operation relies on social engineering, back button hijacking, and a sophisticated command‑and‑control system that dynamically updates phone numbers and messages.
How the Attack Works
The fraud begins when a victim clicks a link that appears to belong to a legitimate telecommunications brand. A lookalike domain immediately redirects the browser into a TDS network. The TDS passes the victim through a series of intermediary nodes, each adding tracking parameters, until the final node hosts a fake CAPTCHA page. The CAPTCHA is designed to look legitimate: it asks the user to identify common objects, such as bicycles or chihuahuas, and to select the correct image. However, each answer triggers a JavaScript routine that automatically opens the device’s messaging app with a pre‑filled SMS. The message contains a list of phone numbers that span 17 countries and a short affiliate tag.
The user is not warned that a single action will send dozens of messages. In practice, a single CAPTCHA step can generate between 10 and 15 SMS messages. Most observed campaigns require four steps, resulting in 60 messages sent in total. The victims receive heavy international termination fees on their phone bills weeks after the fact, often unaware that the charges originated from a fake verification page.
Back Button Hijacking
To keep users from leaving the page, the script hijacks the browser’s back button. It uses the pushState API to insert the current URL into the history stack and redirects the user back to the same page if they attempt to navigate away. This loop is invisible to the victim and increases the likelihood that they will submit the CAPTCHA and trigger the SMS cascade.
Traffic Distribution System (TDS) Involvement
Traffic enters the fraud chain via a commercial TDS operated by a European affiliate advertising network. The network uses standard tracking parameters (utm_medium, utm_campaign) to attribute traffic. Once the user reaches the SMS actor’s node, the TDS passes along a new set of parameters (clientId, productId, publisher_id) that identify the specific campaign. The actor’s domain is hosted on a CDN with a well‑known ASN, making it difficult for security analysts to attribute the fraud to a single organization.
Phone Numbers and Destinations
The fake CAPTCHA delivers a list of 15 phone numbers for the first stage of the campaign. These numbers cover high‑fee destinations such as Azerbaijan (+994), the Netherlands (+31), the UK (+44), Malta (+354), and Myanmar (+95). After the CAPTCHA, a second list of 20 numbers is passed to a secondary landing page. This list contains Egyptian numbers (+20), Ukrainian numbers (+380), and additional high‑fee destinations. The use of premium-rate numbers in these countries ensures that each message generates significant revenue for the fraudster.
Technical Overview
The JavaScript that controls the CAPTCHA flow follows a simple state machine:
- Click a CAPTCHA answer → trigger sendSMS()
- sendSMS() calls an API endpoint that returns the list of numbers and the message template
- JavaScript constructs the SMS body and opens the messaging app with the list of recipients
- After a delay, the script determines the next step based on server instructions
The script also checks a cookie that stores the user’s success rate. If the rate is below a threshold, the user is redirected to an alternate CAPTCHA hosted on a domain that mimics a legitimate cosmetics brand. This diversification allows the fraudster to target a broader audience while maintaining a low profile.
Indicators of Compromise
Below are key indicators that security analysts should monitor:
- Domains: colnsdital[.]com, hotnow[.]sweeffg[.]online, zawsterris[.]com, megaplaylive[.]com
- Phone numbers: any number with prefixes +20, +31, +44, +90, +95, +380
- Tracking parameters: clientId, productId=2001, publisher_id, af
- Back button hijacking script pattern (pushState usage)
Recommendations for Detection and Mitigation
- Block known TDS domains in firewall and DNS filtering solutions. Use threat intelligence feeds that publish the domains listed above.
- Detect bulk SMS activity by monitoring outgoing SMS logs. Alerts should trigger when a single user sends more than 10 messages within a short timeframe.
- Implement web filtering to block fake CAPTCHA pages. Use regular expressions that match the URL patterns and the JavaScript signatures.
Educate users about the risks of clicking on suspicious links, especially those that prompt them to send SMS messages. Provide clear guidance on how to verify the authenticity of a site before interacting.
Coordinate with telecom providers to identify and block high‑fee termination fees for known fraud numbers. Telecommunication carriers should also be alerted to investigate complaints of unexpected charges.
Conclusion
This operation demonstrates how the convergence of fake CAPTCHA pages, TDS infrastructure, and premium‑rate SMS routes can create a scalable fraud ecosystem. The use of back button hijacking and cookie‑based targeting makes it difficult for individual users to escape the loop. By combining network‑level blocking, user education, and inter‑carrier cooperation, security teams can reduce the impact of this fraud and protect both consumers and service providers from the growing threat of international revenue share scams.

