That 'I'm Not a Robot' Click Is Sending Texts to 17 Countries Without You Knowing

That 'I'm Not a Robot' Click Is Sending Texts to 17 Countries Without You Knowing

Picture clicking a standard-looking CAPTCHA box on a website — the familiar "I'm not a robot" step most people do without thinking — and then going about your day. Weeks later, your phone bill arrives with $30 in charges you don't recognize. According to security researchers at Kraven Security and Infoblox, that's exactly what a wave of fake CAPTCHA pages is doing: the moment a visitor clicks the fake verification button, JavaScript silently opens the phone's messaging app, pre-fills up to 15 international phone numbers, and sends up to 60 premium-rate text messages before the person realizes anything has happened.

The pages are designed to closely resemble Google's reCAPTCHA, and some use JavaScript to disable the browser's back button so visitors can't easily leave. According to Infoblox researchers, the scheme — described as a "ClickFix"-style attack — has been running since at least June 2020 and has been tied to more than 120 separate campaigns. The numbers receiving the texts are controlled by the fraudsters, who profit through what the telecom industry calls International Revenue Share Fraud: carriers pay termination fees for routing international messages, and the attackers collect a cut of those fees on each text delivered.

Researchers note that victims typically don't discover the charges until their next billing cycle, by which time the money has already moved. If any charge on your phone bill shows international SMS traffic you didn't initiate, contact your carrier directly and report it to the FTC at reportfraud.ftc.gov.

Gobble's Take: A legitimate CAPTCHA never needs to open your messaging app — if one does, that's the tell.

Sources: Kraven Security · Kraven Security (share)

Scammers Are Opening eBay Accounts in Your Name to 'Wash' Stolen Card Numbers

A fraud pattern reported by security researchers involves scammers creating eBay accounts using a real victim's name, then locating a legitimate package delivery tracking number tied to that person's ZIP code. According to a discussion flagged by researchers on Hacker News, the stolen credit card is then used to "purchase" a fictitious item from a second account controlled by the same fraudsters — effectively moving money between two accounts while making the transaction appear to involve a real person at a real address.

The victim's name and ZIP code serve as props to make the transaction look plausible to automated fraud-detection systems. By the time the actual cardholder notices the unauthorized charge and disputes it, the funds have already been transferred out. Researchers note the process is becoming increasingly automated, with scammers assembling fragments of stolen personal data — names, ZIP codes, partial addresses — to build transaction histories that are harder to flag.

Regularly reviewing credit card and bank statements, even for small amounts, remains one of the more reliable ways to catch this type of fraud early, according to consumer protection guidance from the FTC. Unauthorized charges should be reported directly to your card issuer and to the FTC at reportfraud.ftc.gov.

Gobble's Take: Seeing your own name on a suspicious transaction is not reassurance — in this pattern, it's the warning sign.

Source: Hacker News

Four Things in a Legitimate-Looking Email That Actually Signal a Scam

Security researchers and consumer advocates have documented a shift in phishing emails: the obvious spelling errors and awkward phrasing that once marked a scam are largely gone. According to a review published by Women in Experimentation, today's fraudulent emails are often visually polished and structurally convincing — which makes the remaining tells worth knowing specifically.

The first pattern researchers flag is a domain that contains a familiar brand name but isn't the brand's actual root domain. An address like "yourbrand-support.com" is not the same as "yourbrand.com," even though it looks close at a glance. The second is vague personalization — language like "Dear valued customer" or references that could apply to any account holder, with no specific detail about your actual account or recent activity. Legitimate companies typically include at least one piece of identifying information (a partial account number, a recent transaction date) in account-related emails.

The third signal is the absence of any real name or verifiable contact behind the message — generic sender addresses or a "contact us" link that leads nowhere specific. The fourth is a single prominent link or button with no alternative way to reach the company — scammers want one click path and prefer you don't go looking for a phone number or an official website independently. If any combination of these appears in an email asking you to act quickly, researchers advise navigating directly to the company's official website by typing the address yourself rather than clicking any link in the message.

Gobble's Take: When in doubt, type the company's web address yourself — that single habit sidesteps most of what's described here.

Source: Women in Experimentation

In Case You Missed It

Yesterday's top stories:

• The Digital Trap: How Social Media Became a $2.1 Billion Goldmine for Scammers