Cybercriminals are using a new method called 'SMS pumping attacks' that does not require installing malware, stealing passwords, or hacking accounts. Through this technique, attackers send international SMS messages that generate revenue for them while the costs are charged to unsuspecting users. The process often begins with a single click on a deceptive CAPTCHA-like page.

According to Malwarebytes researcher Pieter Arntz, fake CAPTCHA pages are being used in an ongoing cyber campaign to trick mobile users into unknowingly sending multiple international SMS messages. Attackers lure users through malicious ads or fake telecom websites with minor spelling errors in their domains. Once users click a button, their SMS app opens with prewritten messages and recipient lists.

The attack involves sending messages to dozens of international numbers across 17 countries, including Azerbaijan, Myanmar, and Egypt, where SMS charges are high. This scheme, known as 'international revenue share fraud,' can result in bills of up to 30 dollars for individual users. Experts advise avoiding sending SMS to verify identity, not clicking suspicious links, and recognizing that genuine CAPTCHA pages never open SMS apps.