Fake CAPTCHA SMS Fraud and SMS Blaster Smishing Target Mobile Users
Infoblox researchers reported a long-running International Revenue Share Fraud (IRSF) campaign that uses fake CAPTCHA pages to trick mobile users into sending premium-rate international text messages. Victims are funneled through typosquatted telecom-themed domains, ad-network redirects, and Traffic Distribution System (TDS) infrastructure to scam landing pages that present bogus verification steps. Those prompts trigger JavaScript that opens the phone’s SMS app with pre-filled messages and dozens of international numbers, and a single four-step interaction can generate about 60 SMS messages to more than 50 destinations, costing roughly $30 or more per session. Researchers said the operation has been active since at least 2020, uses high-fee destinations including Azerbaijan, Egypt, and Myanmar, and has been linked to an affiliate of a European Click2SMS network using infrastructure hosted on AS15699, Adam Ecotech.
Separately, Toronto police arrested three men in what authorities described as Canada’s first criminal case involving a mobile SMS blaster, a rogue device that impersonates a cellular tower to push phishing texts and disrupt legitimate service. Investigators said the devices were tracked across the Greater Toronto Area after one was detected in downtown Toronto, and police seized multiple SMS blasters and related equipment. Authorities believe tens of thousands of phones connected to the rogue system, contributing to more than 13 million network disruptions that may have interfered with normal mobile access and even emergency services such as 911. The cases highlight how attackers are abusing both web lures and fake base-station hardware to scale smishing and mobile billing fraud.
Timeline
Apr 25, 2026
Researchers attribute campaign to Click2SMS affiliate
Infoblox attributed the fake CAPTCHA IRSF activity to an affiliate of a European Click2SMS network and linked supporting infrastructure to AS15699, Adam Ecotech. This added actor attribution to the long-running fraud campaign.
Apr 24, 2026
Infoblox documents fake CAPTCHA IRSF campaign details
Infoblox publicly documented the fake CAPTCHA fraud operation, describing its use of typosquatted telecom domains, Traffic Distribution System redirects, back-button hijacking, and JavaScript that pre-fills SMS messages to high-fee international destinations. Researchers said a single victim interaction can trigger about 60 messages to more than 50 destinations, costing roughly $30 or more per session.
Apr 24, 2026
Police announce three arrests in Canada's first SMS blaster case
Canadian authorities disclosed that three men were arrested in what they described as the country's first criminal case involving a mobile SMS blaster. Police linked the devices to tens of thousands of phones and more than 13 million network disruptions, including possible interference with emergency services.
Mar 1, 2026
Toronto police arrest two suspects and seize SMS blasters
Police said they arrested two suspects in March in connection with Canada's first known criminal case involving a mobile SMS blaster. Investigators seized several SMS blasters and other electronic equipment tied to mass phishing texts and network disruption.
Jan 31, 2026
Infoblox observes 120+ Keitaro abuse campaigns
Infoblox reported that more than 120 malicious campaigns abusing the Keitaro traffic distribution system were active between October 2025 and January 2026. The campaigns supported malware delivery, cryptocurrency wallet-drainer activity, and AI-themed investment scams, expanding the scope beyond the fake CAPTCHA IRSF operation.
Nov 1, 2025
Toronto police begin SMS blaster investigation
Toronto Police Service began investigating in November after detecting a suspicious rogue device in downtown Toronto. Authorities later tracked the mobile SMS blaster across multiple locations in the Greater Toronto Area.
Jun 1, 2020
IRSF fake CAPTCHA SMS fraud campaign begins
Infoblox said a long-running International Revenue Share Fraud campaign using fake CAPTCHA pages has been active since at least June 2020. The scheme tricks mobile users into sending premium-rate international SMS messages through scam landing pages and redirect infrastructure.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Sources
1 more from sources like the record media
Related Stories
Toronto Police Bust Vehicle-Mounted SMS Blaster Phishing Operation
Toronto Police arrested three men and laid 44 charges over an alleged **SMS blaster** operation in the Greater Toronto Area that used rogue cellular base stations mounted in vehicles to impersonate legitimate towers and push phishing texts to nearby phones. Investigators said the campaign, dubbed **Project Lighthouse**, began drawing scrutiny after suspicious activity was reported in downtown Toronto in November 2025, with searches in Markham and Hamilton later leading to the seizure of multiple custom-built blasters and other electronic devices; two suspects were arrested during the searches and a third later surrendered. Authorities said the devices forced tens of thousands of phones to connect automatically, enabling spoofed messages that appeared to come from banks, government agencies, and other trusted organizations and directing victims to fraudulent sites designed to steal credentials, passwords, and banking information. Police estimate the scheme caused roughly **13 million network disruptions** or instances of mobile network entrapment, temporarily knocking affected devices off legitimate service and potentially blocking access to **911**, and described the case as the first known detection of this type of threat in Canada while warning that conventional smishing remains an ongoing risk.
1 weeks ago
Rise of SMS-Based Mobile Fraud Through Smishing and OTP Interception
Criminals are increasingly abusing **SMS as a fraud channel**, using both network-level and device-level techniques to bypass traditional defenses and steal credentials, banking data, and one-time passcodes. One reported method uses **SMS blasters**—portable false base stations or cell-site simulators—to inject phishing texts directly into nearby phones without traversing carrier networks, allowing messages spoofing government agencies or banks to evade carrier spam filtering. Another technique targets Android devices through the **LSPosed** framework and the **Digital Lutera** module, enabling attackers to capture SMS verification tokens, impersonate phone numbers, insert fraudulent SMS records, and support real-time payment app account takeover and transaction approval. The fraud ecosystem also includes large-scale **smishing campaigns** built around fake parcel delivery notifications, with Group-IB reporting sustained growth across the Middle East and Africa and postal brands most frequently abused. Those campaigns use urgent shipment-tracking lures to drive victims to counterfeit courier sites that harvest personal data, card details, banking credentials, and OTPs. Together, the reporting shows that mobile fraud is expanding through both social engineering and deeper technical abuse of telecom and mobile operating system trust models, exposing weaknesses in SMS-based authentication and message trust assumptions.
1 months ago
SMS-Based Authentication and Phishing Risks via Intercepted or Mass-Sent Text Links
Recent research highlighted systemic security and privacy risks created by **sign-in/authentication links delivered over SMS**, showing how easily such links and embedded personal data can be exposed and abused at scale. By observing public SMS gateway services (temporary numbers used to receive texts), researchers collected **332,000 unique SMS-delivered URLs** extracted from **33 million texts** sent to **30,000+ phone numbers**, and reported that messages from **701 endpoints** on behalf of **177 services** exposed *critical PII*. The work underscores that SMS is unencrypted and that authentication links and sensitive details can persist in accessible stores or be captured through weakly protected SMS delivery ecosystems. Greek police separately dismantled a criminal operation in the Athens area that used a **rogue mobile base station** (an “**SMS blaster**”) concealed in a car to push phishing texts to nearby phones. Authorities said the device coerced phones to connect and **downgraded them from 4G to 2G**, enabling collection of identifiers (e.g., phone numbers) and delivery of scam messages impersonating banks and courier firms with **phishing links** used to steal payment card data and conduct unauthorized transactions; investigators have tied the group to at least three fraud cases and indicated the suspects may be Chinese nationals. Together, the reporting and research illustrate how SMS-delivered links can be exploited both through passive exposure of messages/URLs and through active, proximity-based telecom impersonation to distribute credential- and payment-theft lures.
1 months ago