Hold the Phone! International Revenue Share Fraud Driven by Fake CAPTCHAs
Threat actors are leveraging fake CAPTCHA pages to trick victims into sending premium SMS messages as part of an international revenue share fraud (IRSF) scheme. Operating since at least June 2020, this campaign uses traffic distribution systems and social engineering to direct users through multi-stage fake verifications requiring SMS messages to international phone numbers across 17 countries with high termination fees. Each CAPTCHA step triggers messages to over a dozen destinations, generating over 60 SMS messages per victim costing approximately $30. The operation employs back button hijacking, sophisticated tracking cookies, and affiliate advertising networks to maximize reach while obscuring the fraud from detection. Both individual victims and telecommunication carriers suffer financial losses through this deceptive scheme.
AI Analysis
Technical Summary
Threat actors conduct an international revenue share fraud campaign by deploying fake CAPTCHA pages that trick victims into sending premium SMS messages to international phone numbers with high termination fees. The campaign uses traffic distribution systems and social engineering to funnel users through multi-stage fake verifications, each triggering numerous SMS messages. Sophisticated evasion techniques such as back button hijacking, tracking cookies, and affiliate advertising networks are employed to maximize victim count and obscure the fraudulent activity. This campaign has been active since at least June 2020 and affects multiple domains associated with the fraud infrastructure.
Potential Impact
Victims incur unexpected charges of approximately $30 due to sending over 60 premium SMS messages to international numbers. Telecommunication carriers also experience financial losses from high termination fees associated with these messages. The fraud undermines user trust and can lead to financial harm for both individuals and service providers.
Mitigation Recommendations
No official patch or fix is applicable as this is a social engineering campaign rather than a software vulnerability. Mitigation should focus on user education to recognize fake CAPTCHA pages and avoid sending SMS messages prompted by suspicious verifications. Telecommunication providers may consider monitoring and blocking premium SMS messages to suspicious international numbers associated with this campaign. Review and block access to known malicious domains linked to this fraud. Since no vendor advisory or official fix is provided, patch status is not applicable.
Indicators of Compromise
- domain: claimandwins.com
- domain: verifysuper.com
- domain: 4lifetips.com
- domain: caxip.com
- domain: mamil.com
- domain: megaplaylive.com
- domain: solpe.top
- domain: vassin.top
- domain: zawsterris.com
- domain: chat.matchnewtoday.com
- domain: d.fufecarrol.top
- domain: d.herbosfinx.com
- domain: d.panzozerrot.com
- domain: d.remotesbuffalo.top
- domain: d.ruelomamuy.com
- domain: d.santafebuno.top
- domain: d.vistertransit.com
- domain: d.zerrotmamil.com
- domain: hotnow.sweeffg.online
- domain: r.buffalosolpe.top
- domain: r.carrolvassin.top
- domain: r.transitcaxip.com
- domain: vids.chatorizon.com
Hold the Phone! International Revenue Share Fraud Driven by Fake CAPTCHAs
Description
Threat actors are leveraging fake CAPTCHA pages to trick victims into sending premium SMS messages as part of an international revenue share fraud (IRSF) scheme. Operating since at least June 2020, this campaign uses traffic distribution systems and social engineering to direct users through multi-stage fake verifications requiring SMS messages to international phone numbers across 17 countries with high termination fees. Each CAPTCHA step triggers messages to over a dozen destinations, generating over 60 SMS messages per victim costing approximately $30. The operation employs back button hijacking, sophisticated tracking cookies, and affiliate advertising networks to maximize reach while obscuring the fraud from detection. Both individual victims and telecommunication carriers suffer financial losses through this deceptive scheme.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Threat actors conduct an international revenue share fraud campaign by deploying fake CAPTCHA pages that trick victims into sending premium SMS messages to international phone numbers with high termination fees. The campaign uses traffic distribution systems and social engineering to funnel users through multi-stage fake verifications, each triggering numerous SMS messages. Sophisticated evasion techniques such as back button hijacking, tracking cookies, and affiliate advertising networks are employed to maximize victim count and obscure the fraudulent activity. This campaign has been active since at least June 2020 and affects multiple domains associated with the fraud infrastructure.
Potential Impact
Victims incur unexpected charges of approximately $30 due to sending over 60 premium SMS messages to international numbers. Telecommunication carriers also experience financial losses from high termination fees associated with these messages. The fraud undermines user trust and can lead to financial harm for both individuals and service providers.
Mitigation Recommendations
No official patch or fix is applicable as this is a social engineering campaign rather than a software vulnerability. Mitigation should focus on user education to recognize fake CAPTCHA pages and avoid sending SMS messages prompted by suspicious verifications. Telecommunication providers may consider monitoring and blocking premium SMS messages to suspicious international numbers associated with this campaign. Review and block access to known malicious domains linked to this fraud. Since no vendor advisory or official fix is provided, patch status is not applicable.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.infoblox.com/blog/threat-intelligence/hold-the-phone-international-revenue-share-fraud-driven-by-fake-captchas/"]
- Adversary
- null
- Pulse Id
- 69ea72429017f495ef581024
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainclaimandwins.com | — | |
domainverifysuper.com | — | |
domain4lifetips.com | — | |
domaincaxip.com | — | |
domainmamil.com | — | |
domainmegaplaylive.com | — | |
domainsolpe.top | — | |
domainvassin.top | — | |
domainzawsterris.com | — | |
domainchat.matchnewtoday.com | — | |
domaind.fufecarrol.top | — | |
domaind.herbosfinx.com | — | |
domaind.panzozerrot.com | — | |
domaind.remotesbuffalo.top | — | |
domaind.ruelomamuy.com | — | |
domaind.santafebuno.top | — | |
domaind.vistertransit.com | — | |
domaind.zerrotmamil.com | — | |
domainhotnow.sweeffg.online | — | |
domainr.buffalosolpe.top | — | |
domainr.carrolvassin.top | — | |
domainr.transitcaxip.com | — | |
domainvids.chatorizon.com | — |
Threat ID: 69eb2b7387115cfb6806c5fd
Added to database: 4/24/2026, 8:36:03 AM
Last enriched: 4/24/2026, 8:51:03 AM
Last updated: 4/25/2026, 5:45:22 AM
Views: 95
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.