Infoblox Threat Intel finds global scams turning simple “prove you’re human” pages into costly international text charges for consumers and telecom operators
DUBAI, UAE, April, 2026: CAPTCHAs, the simple tests we use to prove we are human, are increasingly being weaponized to trigger actions with hidden costs. Infoblox Threat Intel has uncovered fake CAPTCHA pages that trick users into sending high volumes of international text messages, fuelling a long-running fraud category called international revenue share fraud (IRSF). The result is unexpected charges for consumers and growing, often hidden, revenue leakage for telecom carriers.
The research shows that seemingly everyday web interactions can be turned into billable mobile events without users clearly understanding what they are authorizing. Each small extra charge looks minor on its own, but at scale this behaviour drives meaningful, recurring losses for carriers and a steady stream of complaints and disputes from confused customers.
This type of fraud scheme is not new, but the method is unreported. Utilizing fake CAPTCHAs in this way is a novel attack type for cybercriminals. In these attacks, a user follows the instructions that look like a regular CAPTCHA but in reality, sends international SMS. This results in charges on the victim’s phone bill, with a share of that revenue going to the actor who leases the phone numbers and operates the fake CAPTCHA site.
More than a security issue, this is a financial and reputational problem that erodes margins, damages trust in digital services and invites regulatory scrutiny. Telecom operators, advertisers and online platforms all need better visibility and controls over how simple verification prompts, and one-click flows convert into real-world charges.
“We’ve been tracking malicious use of traffic distribution systems for a while now, but tying them directly to a long-running SMS fraud scheme is new,” said Dr. Renée Burton, VP of Infoblox Threat Intel. “What makes this operation so effective is not just the fake CAPTCHA itself, but the commercial ad and traffic systems wrapped around it. Affiliate-style infrastructure is being repurposed to industrialize phone fraud, while making it very hard for outsiders to see the full picture.”
This research makes one thing clear: the same systems that route users to content can just as easily route money to criminals, and fake CAPTCHA fraud is already exploiting that gap at Internal scale.
Photo Caption: Dr. Renée Burten, VP of Infoblox Threat Intel
About Infoblox Threat Intel
Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet’s inner workings allows us to track down threat actors that others can’t see. We’re proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox DNS Detection and Response solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.
About Infoblox:
Infoblox unites networking, security and cloud with a protective DDI platform that delivers enterprise resilience and agility. Trusted by over 6,000 customers, including the majority of Fortune 100 companies as well as emerging innovators, we seamlessly integrate, secure and automate critical network services so businesses can move fast without compromise. Visit Infoblox.com, or follow us on LinkedIn.
