Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to intelligence
phishing-campaign-intelligenceidentity-impersonation-fraudthreat-infrastructure-trackingoperational-disruption

Fake CAPTCHA SMS Fraud and SMS Blaster Smishing Target Mobile Users

Updated 2d agoFirst seen Apr 24, 20266 sources

Infoblox researchers reported a long-running International Revenue Share Fraud (IRSF) campaign that uses fake CAPTCHA pages to trick mobile users into sending premium-rate international text messages. Victims are funneled through typosquatted telecom-themed domains, ad-network redirects, and Traffic Distribution System (TDS) infrastructure to scam landing pages that present bogus verification steps. Those prompts trigger JavaScript that opens the phone’s SMS app with pre-filled messages and dozens of international numbers, and a single four-step interaction can generate about 60 SMS messages to more than 50 destinations, costing roughly $30 or more per session. Researchers said the operation has been active since at least 2020, uses high-fee destinations including Azerbaijan, Egypt, and Myanmar, and has been linked to an affiliate of a European Click2SMS network using infrastructure hosted on AS15699, Adam Ecotech.

Separately, Toronto police arrested three men in what authorities described as Canada’s first criminal case involving a mobile SMS blaster, a rogue device that impersonates a cellular tower to push phishing texts and disrupt legitimate service. Investigators said the devices were tracked across the Greater Toronto Area after one was detected in downtown Toronto, and police seized multiple SMS blasters and related equipment. Authorities believe tens of thousands of phones connected to the rogue system, contributing to more than 13 million network disruptions that may have interfered with normal mobile access and even emergency services such as 911. The cases highlight how attackers are abusing both web lures and fake base-station hardware to scale smishing and mobile billing fraud.

Share:
Fake CAPTCHA SMS Fraud and SMS Blaster Smishing Target Mobile Users
Stay ahead

Get ahead of threats like this

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.

EVENT TIMELINE

How this story unfolded

7 events from the most recent confirmed update back to the earliest known activity.

7 EVENTS
Apr 25, 20262mo ago

Researchers attribute campaign to Click2SMS affiliate

Infoblox attributed the fake CAPTCHA IRSF activity to an affiliate of a European Click2SMS network and linked supporting infrastructure to AS15699, Adam Ecotech. This added actor attribution to the long-running fraud campaign.

Apr 24, 20262mo ago

Infoblox documents fake CAPTCHA IRSF campaign details

Infoblox publicly documented the fake CAPTCHA fraud operation, describing its use of typosquatted telecom domains, Traffic Distribution System redirects, back-button hijacking, and JavaScript that pre-fills SMS messages to high-fee international destinations. Researchers said a single victim interaction can trigger about 60 messages to more than 50 destinations, costing roughly $30 or more per session.

Police announce three arrests in Canada's first SMS blaster case

Canadian authorities disclosed that three men were arrested in what they described as the country's first criminal case involving a mobile SMS blaster. Police linked the devices to tens of thousands of phones and more than 13 million network disruptions, including possible interference with emergency services.

Mar 1, 20264mo ago

Toronto police arrest two suspects and seize SMS blasters

Police said they arrested two suspects in March in connection with Canada's first known criminal case involving a mobile SMS blaster. Investigators seized several SMS blasters and other electronic equipment tied to mass phishing texts and network disruption.

Jan 31, 20265mo ago

Infoblox observes 120+ Keitaro abuse campaigns

Infoblox reported that more than 120 malicious campaigns abusing the Keitaro traffic distribution system were active between October 2025 and January 2026. The campaigns supported malware delivery, cryptocurrency wallet-drainer activity, and AI-themed investment scams, expanding the scope beyond the fake CAPTCHA IRSF operation.

Fake CAPTCHA IRSF Scam and 120 Keitaro Campaigns Drive Global SMS, Crypto Fraud
Nov 1, 20258mo ago

Toronto police begin SMS blaster investigation

Toronto Police Service began investigating in November after detecting a suspicious rogue device in downtown Toronto. Authorities later tracked the mobile SMS blaster across multiple locations in the Greater Toronto Area.

Jun 1, 20206y ago

IRSF fake CAPTCHA SMS fraud campaign begins

Infoblox said a long-running International Revenue Share Fraud campaign using fake CAPTCHA pages has been active since at least June 2020. The scheme tricks mobile users into sending premium-rate international SMS messages through scam landing pages and redirect infrastructure.

LINKED ENTITIES

Related entities

Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.

14 LINKEDOpen in app
Threat actors
2 linked
Affected products
2 linked
TwitterLinkedin
Organizations
10 linked
MalwarebytesConfiantLinkedinMeta PlatformsHackReadXInfobloxGoogleKeitaroAdam Ecotech
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Map indicators from this story to your assets and identify affected systems in minutes.

Threat actor evidence

Every observed campaign, victim, and pivot linked to actors named in this story.

Associated malware

Malware, exploits, and IOCs connected to the activity described here.

Detection signatures

YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.

Scheduled alerts

Get matching new stories delivered to your team as they break — not the next morning.

AI threads

Ask questions about this story and take action on the answers.

Fake CAPTCHA SMS Fraud and SMS Blaster Smishing Target Mobile Users | Mallory