Fake CAPTCHA Pages Targeting Google Users with International Revenue Fraud

Fake CAPTCHA Pages

The scam typically begins when a user mistypes a web address or lands on a compromised website that mimics legitimate brands. These pages are designed to appear like standard CAPTCHA forms—those often seen when verifying that a user is human. However, instead of asking typical questions like identifying images or solving simple puzzles, these fake CAPTCHAs ask users to answer seemingly benign questions about their device or network speed.

What victims don’t realize is that each time they interact with the CAPTCHA, a hidden JavaScript function is triggered. This function opens the phone’s messaging app and pre-fills a text message directed to several international phone numbers. The user doesn’t have to do anything extra; the message is sent automatically after each interaction with the CAPTCHA, often leading to dozens of texts being sent.

International Text Messages

After engaging with these fake CAPTCHA pages, the victim is hit with a series of international charges, often spread across multiple phone numbers. While the individual costs per message may seem small, the total can quickly escalate, with some victims accumulating bills as high as $30 or more. This scam isn’t just a one-off occurrence—it has the potential to affect users multiple times, with charges showing up weeks later when the victim has long forgotten their interactions with the deceptive CAPTCHA page.

The scheme relies on high termination fees, with phone numbers in countries such as Azerbaijan, Egypt, and Myanmar being used for these fraudulent charges. These numbers are chosen specifically for their expensive rates, and with multiple messages sent per session, the total cost for the victim can add up quickly.

Back Button Hijacking

A key part of this scam’s success lies in its ability to trap users into an endless cycle of interactions. This is achieved through a back-button hijacking mechanism that blocks the user from leaving the page. Instead of returning to the previous page when the back button is pressed, the scam’s script forces the user to stay on the CAPTCHA page, where they are prompted to answer more questions, triggering more unwanted messages. Although this technique has been recently addressed by Google in a security update, it demonstrates the lengths to which scammers will go to ensure that victims remain ensnared in the scam, maximizing their chances of incurring costs.

A Multi-Step Fraud Operation

The complexity of this scam extends beyond simple technical tricks. Researchers tracked the operation and uncovered its multi-step fraud chain. It starts with the victim unknowingly visiting a site with a misspelled domain name, which triggers the CAPTCHA prompt. As users interact with the page, the malicious JavaScript quietly performs the scam, sending messages to premium-rate numbers without the user’s consent or knowledge. The victim, often unaware of the fraud occurring in the background, is left with a surprise phone bill weeks after the event.

Conclusion: A Growing Threat

This new scam underscores the evolving nature of online threats and the growing sophistication of fraud operations. While the technical details might seem complex, the fundamental tactic remains simple—luring victims into sending expensive international text messages through deceptive means. Although Google has made efforts to address the back-button hijacking issue, the scam highlights the importance of vigilance online. Users should be cautious when encountering CAPTCHA forms or other similar prompts and be aware that even the most legitimate-looking pages can be part of a larger, more harmful operation. Infoblox’s research has shed light on this fraudulent scheme, offering valuable insights into the methods scammers are using to profit from unsuspecting victims. As always, staying informed and aware is key to avoiding falling victim to such scams.