# Massive IRSF Scam Network Uses Fake CAPTCHAs to Steal SMS Credentials, Fueling Crypto and Fraud Operations


A sophisticated international telecommunications fraud campaign leveraging 120 Keitaro landing page instances has been detailed in a new security report, exposing how threat actors are systematically abusing fake CAPTCHA verification prompts to trick users into authorizing costly international SMS messages. The scheme, known as International Revenue Sharing Fraud (IRSF), generates millions in illicit revenue by exploiting mobile billing systems and routing charges through leased phone numbers in high-cost calling regions.


According to research published by Infoblox, the operation represents a significant escalation in telecom fraud tactics, combining social engineering with infrastructure-as-a-service (IaaS) platforms to scale attacks across multiple verticals and geographies simultaneously.


## The Threat: How the Fake CAPTCHA Scam Works


The attack chain begins innocuously. Users visiting compromised or malicious websites encounter what appears to be a legitimate CAPTCHA verification prompt—the security check you've seen thousands of times before. However, instead of authenticating access to a website, these fake CAPTCHAs are designed to trick users into authorizing outbound SMS messages.


When a user "solves" the fake CAPTCHA, they unknowingly trigger their mobile device to send premium-rate SMS text messages to international numbers. Here's what happens next:


  • The user sees nothing unusual — the fake CAPTCHA disappears, and the page proceeds normally, creating the false impression of legitimate authentication
  • Hidden SMS messages are sent — typically to high-cost international numbers in regions like Tanzania, Somalia, or the Democratic Republic of Congo
  • Charges accumulate silently — the mobile operator bills the user for international SMS at premium rates, sometimes $15-$20 per message
  • Revenue flows to threat actors — the phone numbers receiving the SMS are owned or leased by the fraud ring, who collect revenue-sharing kickbacks from telecom operators

    • The genius of the scheme lies in its invisibility. Unlike credential theft or direct financial fraud, victims may not realize they've been compromised until their monthly mobile bill arrives with inexplicable charges. By then, hundreds or thousands of messages may have been sent.


    ## Background: IRSF's Evolution and Scope


    International Revenue Sharing Fraud is not new, but its sophistication has accelerated significantly. Telecom fraud schemes have existed for decades, but they traditionally required:


  • Sophisticated telecom network access (harder to obtain)
  • Complex botnet infrastructure (expensive to maintain)
  • Technical expertise in mobile protocols (rare and specialized)

    • Modern IRSF campaigns have democratized these attacks by:


    1. Leveraging public IaaS platforms — Keitaro, a legitimate landing page builder used for affiliate marketing, has been weaponized to host 120+ malicious domains

    2. Automating the attack chain — scripts automatically detect device types and route users to the most effective exploit variants

    3. Combining social engineering with fake UI — visual deception now replaces technical complexity

    4. Operating at scale — a single campaign can target millions of users across dozens of countries


    The Infoblox research identified 120 distinct Keitaro campaigns actively distributing the fake CAPTCHA payload, indicating a highly distributed, resilient operation.


    ## Technical Details: The Keitaro Infrastructure


    Keitaro is a performance marketing platform designed for legitimate affiliate marketers—it provides landing page builders, traffic analytics, and conversion tracking. However, its flexibility and relative anonymity have made it attractive to fraudsters.


    | Aspect | Details |

    |--------|---------|

    | Primary platform | Keitaro landing page builder |

    | Number of campaigns | 120+ active instances |

    | Attack vector | Fake CAPTCHA overlay/redirect |

    | Payload delivery | Silent SMS trigger (JavaScript) |

    | Target geographies | Global, with emphasis on North America and Europe |

    | High-cost SMS destinations | Tanzania, Somalia, DRC, Sudan, other high-rate regions |


    The technical payload operates as follows:


  • User lands on a phishing page (often disguised as a legitimate service)
  • JavaScript loads a fake CAPTCHA iframe or overlay
  • Upon interaction, invisible code accesses device SMS permissions (Android) or initiates SMS through WebRTC
  • Automated messages are queued to premium-rate numbers
  • The attack is obfuscated through multiple redirects and domain hops to evade detection

    • Key technical signatures identified by Infoblox:

  • Domains registered through privacy-enabled registrars
  • Rapid domain rotation (new domains daily)
  • Geographic IP targeting to refine victim profiles
  • JavaScript obfuscation using base64 encoding and eval()
  • API calls to known Keitaro endpoints

    • ## Scope and Impact


    The scale of this operation is substantial. Infoblox estimates:


  • Millions of potential victims across 50+ countries
  • $5-15 million USD in monthly fraud revenue (conservative estimate)
  • Multiple infection vectors — including malvertising, SEO poisoning, and social media referrals
  • Secondary monetization — stolen credentials and device data sold to other threat actors

    • The operation funds additional fraud activities, including:


  • Cryptocurrency scams — romance scams and pump-and-dump schemes
  • Credential trafficking — sale of stolen accounts and session tokens
  • Mobile banking fraud — SIM swaps and account takeovers
  • Dark web services — funding for malware-as-a-service offerings

    • ## Implications for Users and Organizations


    ### For Individual Users


    Your mobile bill is a target. IRSF disproportionately impacts:

  • Users on prepaid/limited-data plans (charges are immediately visible)
  • International travelers (who don't monitor bills closely)
  • Elderly and less tech-savvy users (more likely to fall for social engineering)
  • Users with older Android devices (less granular permission controls)

    • Victims often don't realize they've been compromised for weeks, by which time thousands of messages have been sent and thousands in charges accumulated.


    ### For Organizations


    Enterprises face secondary risks:


  • Guest WiFi vectors — corporate networks can be jumping-off points for malware distribution
  • Employee devices — BYOD policies expose companies if employees visit malicious sites
  • Brand reputation — domains spoofing legitimate services create liability for brand owners
  • Supply chain exposure — if employees' devices are compromised, credentials for enterprise systems may be at risk

    • ## Defense Strategies and Recommendations


    For individual users:


  • Monitor your bills monthly — review SMS charges immediately, not quarterly
  • Disable SMS permissions on Android devices; use native password managers instead of SMS OTP when available
  • Use authenticator apps — never enter OTP codes from SMS-based CAPTCHA prompts
  • Verify CAPTCHA URLs — legitimate CAPTCHAs display the domain name in the iframe; suspicious domains are a red flag
  • Be skeptical of login screens — if you weren't expecting a CAPTCHA, you shouldn't be solving one
  • Report charges immediately — contact your telecom provider within 48 hours of suspicious SMS charges

    • For mobile network operators:


  • Implement SMS gateway restrictions — block SMS messages to known high-cost fraud destinations
  • Real-time anomaly detection — alert users when SMS patterns deviate from normal behavior
  • Require explicit OTP confirmation — for international SMS, demand user confirmation before sending
  • Publish abuse reports — transparency about fraud patterns helps the industry respond faster

    • For security teams:


  • Block Keitaro domains — SIEM rules should flag traffic to known malicious Keitaro instances
  • Monitor for IRSF indicators — device exfiltration of call logs, permission escalation, hidden SMS access
  • Educate employees — IRSF is often paired with phishing; users must understand that CAPTCHA != authentication
  • Implement device management — MDM solutions can restrict SMS permissions and monitor outbound SMS traffic

    • ## Conclusion


    The convergence of IRSF tactics with accessible IaaS platforms represents a mature, profitable fraud ecosystem. The 120 Keitaro campaigns identified by Infoblox are likely just the visible portion of a much larger operation. As telecom operators become more sophisticated, fraud actors will continue to evolve their techniques—shifting focus from technical exploits to social engineering and psychological manipulation.


    The best defense remains awareness: understand what you're clicking, monitor your bills, and remember that legitimate services will never ask you to "verify" through a CAPTCHA you didn't explicitly request.