SecurityBrief Ireland - Technology news for CISOs & cybersecurity decision-makers
Ireland
Flux result 6185ba51 594d 4c8c a96b 0ebe1eb4f5cb
#
Cybersecurity
#
Infoblox
#
Threat intelligence

Fake CAPTCHA pages trigger SMS fraud, Infoblox warns

Mon, 27th Apr 2026 (Today)
Author image
By Sofiah Nichole Salivio, News Editor

Infoblox has published research on a fraud scheme that uses fake CAPTCHA pages to trigger international SMS charges. The tactic links routine web verification prompts to a long-running form of telecom fraud.

The findings describe a variation of international revenue share fraud, or IRSF, in which users are led through what appears to be a standard "prove you're human" process but instead authorise an action that sends premium or international text messages. Those messages can generate unexpected charges for consumers and contribute to losses for telecom operators.

IRSF is a familiar problem for carriers, but the use of fake CAPTCHA pages as the trigger mechanism has not previously been documented in this way, according to Infoblox. Its threat intelligence team said the method turns ordinary web browsing behaviour into a billable mobile event without users clearly understanding what they have approved.

The financial effect may seem minor at the level of an individual charge. Repeated at scale, however, the activity can create recurring losses for carriers and a steady flow of complaints and billing disputes from customers who do not understand why they have been charged.

How it works

The fraud relies on websites that imitate common CAPTCHA checks. Instead of verifying that a visitor is human, the pages present instructions that lead the user to send an international SMS message. A share of the resulting revenue then flows to the operators of the scheme through leased phone numbers.

That model allows cybercriminals to monetise large volumes of seemingly trivial interactions. It also shifts the fraud away from more overt deception, such as credential phishing, and towards exploiting users' familiarity with routine website prompts.

Infoblox linked the activity to traffic distribution systems and advertising infrastructure that can funnel users to scam pages. These systems, often associated with affiliate-style marketing, are being repurposed to support phone fraud while obscuring the actors behind it.

"We've been tracking malicious use of traffic distribution systems for a while now, but tying them directly to a long-running SMS fraud scheme is new," said Dr. Renée Burton, Vice President, Infoblox Threat Intel.

"What makes this operation so effective is not just the fake CAPTCHA itself, but the commercial ad and traffic systems wrapped around it. Affiliate-style infrastructure is being repurposed to industrialize phone fraud, while making it very hard for outsiders to see the full picture," Burton added.

Telecom impact

The study presents the issue as more than a narrow cyber security problem. For carriers, it points to revenue leakage, customer service costs, and potential regulatory pressure if consumers are billed for actions they did not understand.

For customers, the main consequence is unexpected international messaging fees on phone bills. The relatively low value of each charge may also make the activity harder to detect quickly, especially if victims assume the amount is a one-off error rather than part of a wider fraud pattern.

Infoblox also argued that the issue affects trust in digital services more broadly. CAPTCHA prompts are standard across the web, and their widespread use means people have become used to completing them quickly, often without examining what they are being asked to do.

That behaviour creates an opportunity for fraud operators, particularly when online advertising and referral systems can steer large volumes of traffic to deceptive pages. The same mechanisms used to route users to content can also be used to route money to criminals, the research said.

Wider pattern

The research adds to a broader trend in cyber crime in which attackers look for ways to turn routine online actions into direct financial returns. Rather than relying only on malware or account theft, these schemes often depend on interfaces that appear legitimate and on payment mechanisms that sit outside the standard card-fraud model.

In the case described by Infoblox, the telecom network becomes part of the payment chain. That can leave mobile operators, advertisers, and online platforms with overlapping responsibilities for detecting and limiting abuse, particularly where web traffic and messaging charges intersect.

Infoblox said better visibility and tighter controls are needed over verification prompts and one-click user flows that can lead to real-world charges.

Related stories
AI tools widen cyber attack threat, Flashpoint warns
AI flaws & supply-chain risks top new pentesting report
Exclusive: Google Cloud on the road to autonomous SecOps
Zapier expands AI governance controls for enterprise users
Avatier launches offline card after Stryker cyberattack

Top stories

ACI & Kinexys add payee checks to bank payment flows
Anthropic's Mythos sparks governance fears over cyber risk
Fortinet boosts AI security & sustainability efforts
Heligan launches new strategic advisory & risk unit
TCS expands Google Cloud tie-up with four AI offerings