Cybersecurity researchers have uncovered a large scale telecommunications fraud campaign that leverages fake CAPTCHA verification pages to trick users into sending international SMS messages, resulting in unexpected charges on mobile bills. According to findings published by Infoblox, the campaign has likely been active since June 2020 and combines social engineering tactics with browser manipulation techniques such as back button hijacking. Investigators identified at least 35 phone numbers across 17 countries tied to the operation, which falls under international revenue share fraud schemes designed to generate profit through telecom billing systems.
The attack begins when users are redirected through a traffic distribution system to a fraudulent web page displaying a CAPTCHA prompt that instructs them to send a text message to verify their identity. Instead of a single interaction, the process unfolds across multiple steps, with each stage triggering additional SMS messages to different international numbers. Researchers noted that victims may unknowingly send messages to more than 50 destinations, significantly increasing costs that may only appear weeks later due to delayed billing cycles. The scam relies on preconfigured phone numbers embedded in the page, while cookies track user progress and determine subsequent steps in the flow. In some cases, users are redirected to entirely different CAPTCHA pages if they are deemed unsuitable for a specific campaign, suggesting a broader network of coordinated operations.
The infrastructure supporting this campaign highlights a combination of traditional IRSF techniques and modern malicious traffic distribution systems. IRSF schemes typically involve acquiring premium rate phone numbers and artificially increasing traffic to them, allowing fraud actors to receive a share of termination fees paid between telecom operators. The campaign identified by Infoblox appears to exploit high cost number ranges in regions such as Azerbaijan, Kazakhstan, and parts of Europe, where regulatory oversight may be weaker or fees are higher. By collaborating with local telecom entities, threat actors maximize returns while shifting financial impact onto both users and service providers. The use of browser based tricks like history manipulation prevents users from easily exiting the fraudulent pages, effectively trapping them unless they fully close their browser session.
In parallel, researchers also detailed how the Keitaro TDS platform is being widely abused to support a range of malicious campaigns. In collaboration with Confiant, Infoblox documented more than 120 distinct campaigns between October 2025 and January 2026 that used Keitaro infrastructure for distributing harmful links. Originally designed as a self hosted advertising tracker, the system is being repurposed by threat actors into a full scale distribution and cloaking mechanism. These campaigns frequently rely on social media advertising, including Facebook Ads, to lure users into fraudulent investment platforms that claim to use artificial intelligence for automated trading and promise high returns. Some schemes go further by using fabricated celebrity endorsements, fake news articles, and deepfake videos to build credibility, with activity linked to a threat group identified as FaiKast.
The scale of the activity is reflected in network level data, with Infoblox customers recording approximately 226,000 DNS queries across 13,500 domains associated with Keitaro related campaigns during the four month observation period. Following responsible disclosure, Keitaro has taken action by suspending more than a dozen accounts connected to these operations. A significant portion of the spam traffic, estimated at 96 percent, was tied to cryptocurrency scams involving wallet draining techniques. These often used fake giveaways or airdrop campaigns centered on digital assets such as Solana and platforms like Phantom and Jupiter. The findings illustrate how established fraud models are being combined with newer technologies and distribution methods to expand reach and effectiveness across both telecom and digital finance ecosystems.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
