Fake CAPTCHA and 120 Keitaro Campaigns Abusing Keitaro TDS Drive Global SMS Fraud and Crypto Scams
A massive international revenue share fraud campaign uses fake CAPTCHA pages to trick victims into sending premium-rate SMS messages, while over 120 malicious campaigns abuse the Keitaro traffic distribution system for malware delivery and cryptocurrency theft.
Cybersecurity researchers have disclosed details of a telecommunications fraud campaign that uses fake CAPTCHA verification tricks to dupe unsuspecting users into sending international text messages that incur charges on their mobile bills, generating illicit revenue for the threat actors who lease the phone numbers.
According to a new report published by Infoblox, the operation has been active since at least June 2020, using social engineering and back button hijacking in web browsers. As many as 35 phone numbers spanning 17 countries have been observed as part of the international revenue share fraud (IRSF) campaign. "The fake CAPTCHA has multiple steps, and each message crafted by the site is preconfigured with over a dozen phone numbers, meaning the victim isn't charged for just a single message – they're charged for sending SMSs to over 50 international destinations," researchers David Brunsdon and Darby Wise said in an analysis. "This type of scam also benefits from delayed billing, as the 'international SMS' charges often appear on the victim's bill weeks later and the experience with the fake CAPTCHA has been long forgotten."
The campaign plays out like this: a user is redirected to a bogus web page using a commercial traffic distribution system (TDS), which serves a CAPTCHA that instructs them to send an SMS to "confirm you are human." This triggers a multi-stage "verification" chain, with each step initiating a separate SMS message to server-designated numbers by programmatically launching the SMS apps on both Android and iOS devices. In the process, as many as 60 SMS messages are sent to 15 unique numbers after four steps of CAPTCHA, which could end up costing a user $30. The list of phone numbers spans 17 countries, such as Azerbaijan, the Netherlands, Belgium, Poland, Spain, and Turkey. Dr. Renée Burton, vice president of threat intelligence for Infoblox, told The Hacker News that the campaign is not geofenced in its current form, although the possibility hasn't been entirely ruled out. "We have seen these campaigns actively showing up in both the United States and Europe, though the breadth is probably much larger," Burton added.
The campaign heavily relies on cookies to track progression through the fake verification flow, using values stored in certain cookies (e.g., "successRate") to determine the next course of action. If a user is deemed not suitable for the campaign, the page redirects them to an entirely different CAPTCHA page that's likely part of a separate campaign. Another novel strategy is the use of back button hijacking, which relies on JavaScript to alter the browsing history such that any attempt to navigate away by hitting the browser's back button redirects the user back to the fake page, effectively trapping them in a navigation loop.
IRSF schemes involve fraudsters illegally acquiring international premium rate numbers (IPRN) or number ranges and artificially inflating the volume of international calls or messages to those numbers to receive a share of the revenue generated from termination charges. Infoblox said the observed campaign specifically registers phone numbers in countries with high termination fees or lax regulations, such as Azerbaijan, Kazakhstan, or certain premium-rate number ranges in Europe, and colludes with local telecom providers to pull off the scam.
In a related disclosure, Infoblox and Confiant published a three-part analysis detailing how Keitaro TDS (aka Keitaro Tracker) is being abused by a wide range of threat actors for malicious activities, including malware delivery, cryptocurrency theft, and investment scams that claim to employ artificial intelligence (AI) to automate trading and promise huge returns. The scam makes use of Facebook Ads to lure victims to the fraudulent AI-powered platforms, in some cases even resorting to fabricating celebrity endorsements pushed via fake news articles and deepfake videos to promote the investment scheme. The use of synthetic videos has been attributed to a threat actor dubbed FaiKast.
"This operation defrauds both individuals and telecommunication carriers simultaneously. Individual victims face unexpected premium SMS charges on their bills and would have difficulty identifying and reporting the fraud when it originates from such an unexpected source," Infoblox concluded. "Telecom carriers pay revenue share to the perpetrators while likely absorbing the losses from customer disputes or chargebacks."