This threat is a social engineering scam using fake CAPTCHA pages on typosquatted telecom sites to trick users into sending high-cost international SMS messages via JavaScript, resulting in significant financial loss. The attack employs back button hijacking to trap victims and is attributed to a European Click2SMS affiliate network. No specific software vulnerability, CVSS score, or patchable versions are identified; mitigation relies on user awareness and blocking malicious domains.
Security Operations , Phishing , Threat Intelligence Fake CAPTCHA scam drains bank accounts through international revenue share fraud April 28, 2026 Share By SC Staff (Adobe Stock) A long-running fraud operation, active since at least June 2020, has been discovered to be draining bank accounts using fake CAPTCHA pages to conduct international revenue share fraud (IRSF). This scam transforms a common security measure into a tool for tricking users into sending high-cost international text messages, according to a recent report by HackRead. The attack chain begins when users land on typosquatted domains mimicking telecommunications brands. These sites redirect victims through a traffic distribution system to a scammer-controlled landing page. There, fake CAPTCHA challenges ask users simple questions about their device or network. Each answer triggers a JavaScript function that opens the phone's SMS app, pre-filling messages to numerous international numbers with high termination fees in countries like Azerbaijan and Kazakhstan. To prevent users from escaping, the attackers employ back button hijacking, trapping them in a loop. A single session can result in over 60 messages sent to more than 50 destinations, potentially costing victims $30 or more, with charges often appearing weeks later. Infoblox researchers attribute this operation to an affiliate of a European Click2SMS network, utilizing infrastructure from Adam Ecotech. Source: HackRead SC Staff Related Malware Fast16 malware: Pre-Stuxnet sabotage tool discovered SC Staff April 27, 2026 Fast16, referenced in a 2005 ShadowBrokers leak of NSA tools, utilized a Lua 5.0 virtual machine embedded within a service binary, "svcmgmt.exe," which controlled a kernel driver named "fast16.sys." Security Operations French police arrest hacker ‘HexDex’ for alleged widespread data theft SC Staff April 27, 2026 The investigation began in late December 2025 following approximately 100 reports of data theft. Vulnerability Management Operating at the speed of the adversary Dr. Darren Death April 27, 2026 Why AI-powered vulnerability discovery makes modernizing your security practices and policies mandatory. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Blue Team Business Email Compromise (BEC) Cold Warm Hot Disaster Recovery Site Covert Channels Cron Dumpster Diving Google Hacking Information Warfare Morris Worm Reconnaissance You can skip this ad in 5 seconds