Fake CAPTCHAs: The Hidden Trap Draining Wallets and Telecom Revenues

CAPTCHAs have long served as the internet’s simplest trust test: a quick hurdle meant to prove that a user is human and not a bot. But a new fraud campaign is turning that familiar checkpoint into a hidden billing trap, using fake CAPTCHA pages to trigger international text messages and generate costs for both consumers and telecom operators.

Infoblox Threat Intel says the scam is part of international revenue share fraud, or IRSF, a long-running telecom fraud model in which attackers benefit from charges generated by premium or international numbers. In this version, users are lured to counterfeit verification pages that imitate legitimate “I am not a robot” prompts. Instead of confirming identity, the page quietly pushes the victim into sending SMS messages to international numbers controlled by the fraud operators.

The result can be surprisingly expensive. According to reporting on the campaign, some victims are led through multiple verification steps that trigger dozens of SMS messages, with one incident potentially costing around $30 or more before the user realizes anything is wrong. Because the charges often appear later on mobile bills, the link between the suspicious page visit and the final cost may be easy to miss.

The fraud is especially effective because it exploits routine behavior. People have grown used to solving CAPTCHAs quickly, often without thinking twice about the page they are on or the action they are approving. Infoblox says the attackers also rely on traffic distribution systems and ad infrastructure to steer users toward the fake pages, making the campaigns harder to trace and disrupt.

For telecom carriers, the problem is not just customer complaints. IRSF creates revenue leakage that can be difficult to detect, especially when the charges flow through international billing routes and disputed fees are absorbed by operators. That means carriers may end up paying termination fees to destination networks while also handling chargebacks, disputes, and support costs from affected customers.

What makes this campaign notable is how ordinary it looks. It does not depend on malware in the traditional sense or on stealing passwords. Instead, it weaponizes a basic web interaction that millions of users recognize and trust. That shift makes the scam both scalable and socially engineered: the victim is not tricked into downloading anything, only into following a familiar prompt that has been quietly re-purposed for fraud.

The broader lesson is that online trust signals can themselves become attack surfaces. As CAPTCHAs remain part of the web’s daily experience, security teams, carriers, and users alike will need to treat verification prompts more cautiously. A simple click meant to prove humanity can now carry an unexpected price tag.