Cybercriminals can now earn their ill-gotten gains without installing malware, without stealing your password, and without compromising your accounts. Using an SMS pumping attack to send multiple international text messages, threat actors can earn a lot of money, and you will pay for it. And it all starts with a single click.

SMS Pumping Attacks Explained

Are you a robot? Hopefully, the answer is no. Having to prove that you are human online is no joke, though, and CAPTCHA fatigue is very real indeed. Formerly known as “Completely Automated Public Turing test to tell Computers and Humans Apart,” the CAPTCHA test is perhaps best recognized by users as either a block of scrambled text to copy or a grid of photos, with the task of identifying a bicycle or traffic light. Yeah, that darned thing. Here’s the thing though, these have become so ubiquitous that most people just get on with it but without giving it much thought. And that’s where threat actors enter the equation. In the 12 months or so, something known as a ClickFix attack has proven hugely popular with cybercriminals. Essentially, this is a fake CAPTCHA test, taking the form of what you might call a hack-your-own-password exploit. Users are asked to copy commands into a system dialog. Yeah, don’t do that.

The latest ClickFix-related security warning comes from Pieter Arntz, a malware intelligence researcher at Malwarebytes, who warned that an ongoing threat campaign is using “fake CAPTCHA pages to trick mobile users into sending dozens of international SMS messages in the background.”

Rather than rely upon SMS malware apps , the attackers appear to be using various methods, such as malicious advertising or redirects from domains that are similar to, often using typos to look almost genuine, those of known telecom providers, to get victims to arrive at the fake CAPTCHA page. In order to be able to continue with whatever it is they think they are doing, the users are “prompted to tap a button that opens their SMS app with a pre-filled message and recipient list,”Arntz warned.

The clever bit of the SMS pumping attack is that the recipient list isn’t a simple one-to-one SMS number thing, oh no. Instead, that single click on the CAPTCHA turns into a whole load of further steps to complete the thing, each of which is actually a message that is “preconfigured with more than a dozen international numbers across 17 countries known for high termination fees, including Azerbaijan, Myanmar, and Egypt,” according to Arntz’s report .

The payload for the criminals, literally, is that by employing this type of International Revenue Share Fraud methodology, revenue is generated by the traffic to the destination numbers. “On a typical consumer plan,” Arntz said, “that can translate to roughly $30 in international SMS charges per person, with a slice of the termination fees flowing back to the attacker via revenue‑sharing agreements.”

Mitigation sounds simple enough, and it really is, as long as you have your wits about you. Never send an SMS to prove you’re human. Genuine CAPTCHA tests don’t work like that, but run within the web browser itself. Of course, having your wits about you is easier said than done when you are in a hurry, stressed or distracted. Try to stay safe out there folks!