A newly documented telecom fraud campaign shows how attackers are combining fake CAPTCHA pages, premium‑rate international numbers and advertising infrastructure to quietly charge victims for expensive SMS traffic. According to research by Infoblox and Confiant, this operation has been active since at least June 2020 and illustrates how traditional International Revenue Share Fraud (IRSF) is evolving in the digital advertising ecosystem.
How International Revenue Share Fraud Exploits Premium SMS
IRSF is a long‑standing form of telecom fraud in which attackers artificially generate large volumes of calls or SMS messages to international premium rate numbers (IPRN). The originating carrier pays a termination fee to the destination carrier for each connection, and part of that revenue is shared with the owner of the number range. Criminals either control these ranges directly or collude with local operators to receive a share of the proceeds.
In the campaign analyzed by Infoblox, at least 35 phone numbers across 17 countries were abused. The numbers are concentrated in jurisdictions with high termination rates or weaker regulatory oversight, including Azerbaijan, Kazakhstan and selected premium ranges in Europe. By driving automated traffic to these destinations, attackers convert fraudulent SMS activity into legitimate‑looking wholesale revenue.
Fake CAPTCHA Pages as a Social Engineering Tool
The most distinctive feature of this IRSF scheme is the use of fake CAPTCHA verification pages. Instead of solving a visual puzzle, victims are instructed to “confirm you are human” by sending an SMS to a displayed number. After the first message, a multi‑step pseudo‑verification process begins, with each stage silently preparing another SMS to additional international numbers.
On Android and iOS devices, JavaScript on the landing page uses custom URL schemes to open the native SMS application with prefilled recipients and message text. Users see what appears to be a standard message and tap “Send”, often unaware that it is addressed to multiple international premium numbers at once.
Infoblox estimates that over four steps of this fake CAPTCHA flow, a single victim can send up to 60 SMS to 15 unique numbers, generating around $30 in extra charges on average. Each CAPTCHA “replica” ships with a preset list of destinations, so one user action can trigger an entire bundle of high‑tariff SMS messages rather than a single text.
Traffic Distribution Systems: From Ad Tech to Fraud Infrastructure
Victims reach these pages through Traffic Distribution Systems (TDS), commonly used in online marketing to route visitors to different landing pages based on geography, device type or campaign rules. In this case, TDS software is repurposed to mask malicious traffic, filter high‑value targets and scale SMS fraud across many domains and hosting setups.
Cookies, funnel control and back button hijacking
To orchestrate the fraud funnel, attackers rely heavily on browser cookies. Parameters such as a successRate flag track the user’s progress and determine whether to serve the next SMS step, redirect to another fake CAPTCHA or move the user out of the campaign. Visitors deemed “uninteresting” based on location, device or behavior are diverted to alternative landing pages likely belonging to other scams.
The operators also deploy back button hijacking. By manipulating browser history with JavaScript, they ensure that pressing “Back” sends the user to the same CAPTCHA page again, effectively trapping the victim in a navigation loop. Many users simply abandon the session, unaware that multiple premium SMS messages have already been sent from their device.
Who Loses: Impact on Subscribers and Telecom Operators
The fraud inflicts damage on both end users and telecom providers. Subscribers receive inflated bills with lines of international premium SMS that look indistinguishable from legitimate outgoing traffic. Because international billing is often delayed by several weeks, most victims struggle to connect the charges to a brief interaction with a suspicious website.
Operators, meanwhile, are obligated to share revenue with foreign carriers and number range holders, then frequently face customer disputes, chargebacks and regulatory pressure. Industry studies, including reports by the Communications Fraud Control Association (CFCA), have long identified IRSF as one of the costliest forms of telecom fraud globally, running into billions of dollars annually.
Abuse of Keitaro TDS for Malware, Crypto and Investment Scams
Beyond SMS fraud, the same research highlights systemic abuse of the legitimate Keitaro TDS (Keitaro Tracker), a self‑hosted platform designed for performance marketing analytics and conditional traffic routing. Threat actors using stolen or cracked Keitaro licenses have built large‑scale campaigns for malware delivery, cryptocurrency theft and high‑risk investment scams advertised as AI‑powered trading platforms.
Operators lure users via Facebook Ads, fake news articles and deepfake videos featuring fabricated celebrity endorsements. One cluster, labeled “FaiKast” by researchers, was observed between October 2025 and January 2026 running more than 120 distinct campaigns, generating around 226,000 DNS queries to 13,500 associated domains.
Approximately 96% of the Keitaro‑related spam traffic identified in this study was linked to cryptocurrency “wallet drainer” schemes. These scams masquerade as airdrops or giveaways for tokens and services such as AURA, SOL (Solana), the Phantom wallet and the Jupiter DEX aggregator, but are designed to empty victims’ wallets once they sign malicious transactions. Following responsible disclosure, Keitaro reportedly terminated more than a dozen accounts, yet the broader trend of TDS abuse remains persistent.
The uncovered IRSF and TDS campaigns demonstrate how quickly social engineering, ad‑tech infrastructure and obscure telecom settlement mechanisms can be combined into profitable, low‑visibility fraud. Users should never send SMS or initiate calls on the instruction of random websites, should review detailed billing records and, where possible, ask carriers to block premium services. For businesses and telecom operators, effective defenses include behavioral analytics on messaging and voice traffic, DNS‑level monitoring, anomaly detection on international routes and timely information sharing with industry partners. Strengthening awareness of these evolving techniques and investing in proactive monitoring remain critical to reducing the risk and financial impact of telecom and crypto‑enabled fraud.
