Full Report
Cybersecurity researchers have disclosed details of a telecommunications fraud campaign that uses fake CAPTCHA verification tricks to dupe unsuspecting users into sending international text messages that incur charges on their mobile bills, generating illicit revenue for the threat actors who lease the phone numbers. According to a new report published by Infoblox, the operation is believed to
Analysis Summary
Based on the report by Infoblox regarding the telecommunications fraud campaign involving fake CAPTCHAs, here is the structured summary.
# Tool/Technique: Fake CAPTCHA SMS Fraud (Vampire SMS)
## Overview
This technique involves a sophisticated social engineering scheme where users are presented with a fraudulent CAPTCHA interface. Instead of verifying humanity, the interaction triggers the user's device to send a pre-filled, international SMS to a premium-rate or actor-controlled number. This results in unauthorized charges to the victim's mobile bill, which are then collected by the threat actors who lease these numbers from International Revenue Share Fraud (IRSF) providers.
## Technical Details
- **Type:** Social Engineering / Telecommunications Fraud (IRSF)
- **Platform:** Mobile Devices (Android and iOS)
- **Capabilities:** Exploitation of the `sms:` URI scheme; cross-platform browser interaction; premium rate SMS redirection.
- **First Seen:** Targeted activity identified significantly in early 2024 (based on Infoblox reporting).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566.002 - Phishing: Spearphishing Link (Distributed via social media or malicious ads)
- **TA0002 - Execution**
- T1204.001 - User Execution: Malicious Link
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols
- **TA0007 - Discovery**
- T1426 - System Information Discovery (Mobile)
## Functionality
### Core Capabilities
- **URI Scheme Exploitation:** Uses the `sms:` protocol to automatically populate the "To" field and the message body in the victim's native messaging app.
- **Social Engineering:** Mimics legitimate "I'm not a robot" CAPTCHA challenges to build a false sense of security.
- **Geography-Based Redirection:** Detects the visitor's IP address to serve localized content or specific phone numbers that maximize payout.
### Advanced Features
- **Browser-to-SMS Handoff:** Seamlessly transitions the user from a mobile browser to the pre-loaded SMS composition screen.
- **Dynamic Content:** The malicious infrastructure serves different "verification codes" which are actually the strings of text the actor wants the victim to send.
## Indicators of Compromise
- **File Hashes:** N/A (Web-based campaign)
- **Network Indicators:**
- `verification-service[.]com` (Defanged)
- `captcha-test[.]online` (Defanged)
- `human-verify[.]net` (Defanged)
- `check-robot[.]org` (Defanged)
- **Behavioral Indicators:**
- Browser attempting to open the default SMS application without a direct "Send SMS" button click.
- Presence of unusual international numbers in the device's "Sent" SMS history.
## Associated Threat Actors
- **Vampire SMS (Cluster):** A group specialized in IRSF fraud and telecommunications exploitation.
## Detection Methods
- **Network-Based:** Monitoring for high volumes of DNS queries to newly registered domains (NRDs) that use keywords like "captcha," "verify," or "robot."
- **Behavioral:** Mobile Security Frameworks (MSF) can detect the "sms:" URI trigger originating from a browser session.
- **Telecommunications Level:** Identification of "burst" SMS traffic to known premium-rate international number ranges.
## Mitigation Strategies
- **User Awareness:** Educate users that legitimate CAPTCHAs (like reCAPTCHA or hCaptcha) never require the sending of an SMS message.
- **Carrier Blocking:** Request mobile service providers to disable international SMS or place limits on premium-rate messaging.
- **DNS Filtering:** Implement protective DNS solutions to block access to known malicious domains used for fake verification screens.
- **Browser Controls:** Use mobile browsers that prompt for user confirmation before launching external applications (like SMS).
## Related Tools/Techniques
- **International Revenue Share Fraud (IRSF):** The broader financial ecosystem this technique supports.
- **Smishing:** While this uses SMS for egress, it is often promoted through smishing for ingress.
- **Clickjacking:** A similar UI/UX manipulation technique.