Researchers documented a long-running international revenue share fraud (IRSF) campaign that uses fake CAPTCHA pages and TDS redirects to coerce victims into sending multiple international SMS messages that generate termination-fee revenue for the operators. The operation leverages affiliate tracking, back-button hijacking, and multi-stage redirection to maximize SMS volume and evade detection, and victims are advised: do not send a text to confirm you are human. #IRSF #Click2SMS
Keypoints
- Actors deploy fake CAPTCHA pages that require users to send prepopulated SMS messages to dozens of international numbers, generating termination-fee revenue through IRSF.
- Traffic is delivered via commercial traffic distribution systems (TDS) and affiliate networks, hiding the scam behind multi-stage redirects and campaign parameters.
- Back button hijacking (pushState-based) traps users on scam pages to increase the likelihood they will send SMS messages.
- Campaign infrastructure spans many domains and subdomains (hosted on AS15699/Adam EcoTech and behind Cloudflare) and has been active since at least June 2020.
- Cookie-based tracking and affiliate parameters (e.g., clientId, productId, af) enable dynamic control of flows, targeting, and campaign monetization across many landing pages.
- Investigators observed two tiers of phone lists (15-tier1 numbers and 20-tier2 numbers) across 17 countries, including high-termination-fee destinations such as Azerbaijan, Egypt, and Myanmar.
MITRE Techniques
- [T0000 ] None β No MITRE ATT&CK techniques were explicitly mentioned in the article. βNo MITRE ATT&CK techniques were explicitly mentioned in the article.β
Indicators of Compromise
- [Domain ] TDS and scam landing pages β d[.]ruelomamuy[.]com, megaplaylive[.]com, and many other actor-controlled domains such as zawsterris[.]com and colnsdital[.]com.
- [Domain ] Additional fake CAPTCHA/landing domains β verifysuper[.]com, hotnow[.]sweeffg[.]online, and claimandwins[.]com (and many more domains listed in the article).
- [Phone number ] Tier 1 SMS destinations used in CAPTCHA flow β +9947764824XX (Azerbaijan), +31970391393XX (Netherlands), and 13 more numbers from Table 4.
- [Phone number ] Tier 2 SMS destinations passed to megaplaylive[.]com β +2010057974XX (Egypt), +3809278854XX (Ukraine), and 18 more numbers from Table 5.
- [ASN/IP ] Hosting infrastructure β AS15699 (Adam EcoTech) used to host multiple scam and gate domains; some nodes also observed behind Cloudflare and on providers like Hetzner and DigitalOcean.
- [URL/Endpoint ] API endpoint used to retrieve phone lists and control parameters β makeTrackerDownload.php (used in GET requests that return phoneNumbers and urlContent).
- [Campaign parameters/cookies ] Affiliate and campaign identifiers observed β productId=2001, clientId values (e.g., 254), af/af_sub affiliate codes, and decoded cookie keys such as βvalid_productsβ used for targeting and control.