Fake CAPTCHA prompts lead users to subscribe to premium SMS services

Fake CAPTCHA prompts have long been used to prevent bots from attacking websites. Cybercrime groups are now exploiting them as a psychological vulnerability, using counterfeit verification screens to trick users into taking actions that can lead to financial loss and further targeting.

How counterfeit CAPTCHAs work

Instead of asking users to select images or type distorted characters, attackers deploy fake CAPTCHA pages that require unusual steps. A common tactic is to present a “Verify I am human” button that, when clicked, triggers the victim’s messaging app on their phone, pre-filling a verification code and prompting the user to send it to a service number controlled by the scam operators.

Cloudflare reports that the campaign is spreading globally rather than targeting a single country. Attackers use local languages to make the prompts more persuasive, increasing the likelihood that even careful users will follow through.

From a single tap to recurring charges

The scam is designed to feel fast and seamless, leaving little time for users to question what they are doing. Victims are typically directed to a fake website—such as a pirated movie site, a cracked software download page, or a sensational news page—where a CAPTCHA window blocks access to the content.

When the user presses the verification button, the browser initiates the SMS app with a prewritten message. While the message often appears to be meaningless numbers, it is used to subscribe the user to value-added services (Premium SMS). After the victim sends the message, the phone account is charged periodically, with the money routed to scammers through revenue-sharing arrangements with telecom providers that lack sufficient oversight.

Beyond the charges, the action also exposes the victim’s phone number to criminal networks, increasing the risk of spam calls and fraudulent messages later.

Adaptation by location and language

A key feature of the campaign is its ability to tailor the CAPTCHA interface to the user’s location. By identifying the victim’s IP address, the scam can display the prompt in the corresponding language, ranging from English and French to various Asian languages.

Security experts note that legitimate authentication services such as Google reCAPTCHA or Cloudflare Turnstile do not require users to send SMS messages or download files to verify identity. They also warn that many people move quickly through verification steps to reach content faster, which can make social-engineering tactics more effective.

Recommended steps to protect yourself

Experts advise the following precautions:

• Be wary of any request to send an SMS: No legitimate security process should require sending an active message to bypass a CAPTCHA. If such a request appears, close the page immediately.
• Check the URL: Phishing sites may use strange domains, random strings, or look like major brands with minor spelling errors.
• Limit access to unknown sources: Free content such as new movies or cracked software can carry risks including malware and authentication scams.
• Regularly check your phone bill: If you notice unusual deductions, contact your mobile operator to review and cancel any value-added services you did not subscribe to.

Understanding how counterfeit CAPTCHA prompts operate can help users protect their money and reduce the spread of digital crime networks.

Author: Thuy Anh

Source: Phu nu moi