Fake CAPTCHA scam turns a quick click into a costly phone bill

This report details a long-running IRSF campaign where fake CAPTCHA pages (delivered via malvertising/TDS and typosquatted domains) prompt mobile users to open their SMS app and send multiple prefilled international messages to premium numbers across ~17 high-fee countries. The operation uses JavaScript back-button hijacking and affiliate Click2SMS networks to monetize charges (roughly ~$30 per victim on consumer plans), defrauding individuals and telecom carriers; the report lists several malicious domains and provides user protection advice (don’t send SMS to prove you’re human, monitor bills, block premium/international SMS, use mobile protection).