{ "Event": { "analysis": "1", "date": "2026-04-23", "extends_uuid": "", "info": "[Threat Intel] Hold the Phone! International Revenue Share Fraud Driven by Fake CAPTCHAs", "protected": false, "publish_timestamp": "1779545619", "published": true, "threat_level_id": "3", "timestamp": "1779000673", "uuid": "738dd2bc-3d76-4f60-9f80-7622aa855304", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#3d38fc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Acquire Infrastructure - T1583\"", "relationship_type": "" }, { "colour": "#c202a1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\"", "relationship_type": "" }, { "colour": "#ff841f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"", "relationship_type": "" }, { "colour": "#e00500", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Access Tools - T1219\"", "relationship_type": "" }, { "colour": "#82eae0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domains - T1583.001\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#adf1b0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"", "relationship_type": "" }, { "colour": "#9e0269", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Service - T1102\"", "relationship_type": "" }, { "colour": "#4a5d84", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Services - T1583.006\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#2da3e8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Gather Victim Network Information - T1590\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#efb098", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Social Media Accounts - T1585.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#57997c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Bidirectional Communication - T1102.002\"", "relationship_type": "" }, { "colour": "#6440db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Establish Accounts - T1585\"", "relationship_type": "" }, { "colour": "#fdd85e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Access Token Manipulation - T1134\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#bac7a9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domain Properties - T1590.001\"", "relationship_type": "" }, { "colour": "#66e036", "local": false, "name": "misp-galaxy:target-information=\"Austria\"", "relationship_type": "" }, { "colour": "#d802cf", "local": false, "name": "misp-galaxy:target-information=\"Azerbaijan\"", "relationship_type": "" }, { "colour": "#a7b0e0", "local": false, "name": "misp-galaxy:target-information=\"Belgium\"", "relationship_type": "" }, { "colour": "#78cd12", "local": false, "name": "misp-galaxy:target-information=\"Egypt\"", "relationship_type": "" }, { "colour": "#15ccfd", "local": false, "name": "misp-galaxy:target-information=\"France\"", "relationship_type": "" }, { "colour": "#4cea11", "local": false, "name": "misp-galaxy:target-information=\"Italy\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Kazakhstan\"", "relationship_type": "" }, { "colour": "#5d3bf0", "local": false, "name": "misp-galaxy:target-information=\"Malawi\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Myanmar\"", "relationship_type": "" }, { "colour": "#48df7e", "local": false, "name": "misp-galaxy:target-information=\"Netherlands\"", "relationship_type": "" }, { "colour": "#809a25", "local": false, "name": "misp-galaxy:target-information=\"Poland\"", "relationship_type": "" }, { "colour": "#f439e5", "local": false, "name": "misp-galaxy:target-information=\"Spain\"", "relationship_type": "" }, { "colour": "#63bd05", "local": false, "name": "misp-galaxy:target-information=\"Sweden\"", "relationship_type": "" }, { "colour": "#e6caf2", "local": false, "name": "misp-galaxy:target-information=\"Switzerland\"", "relationship_type": "" }, { "colour": "#e4d611", "local": false, "name": "misp-galaxy:target-information=\"Ukraine\"", "relationship_type": "" }, { "colour": "#ce59f1", "local": false, "name": "misp-galaxy:target-information=\"United Kingdom\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120046", "local": false, "name": "rectifyq:sub-category=\"infra-profile\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Infoblox\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777028426", "to_ids": false, "type": "link", "uuid": "ac8f66f1-00e0-48cb-af7c-cbcd894cd8a8", "value": "https://www.infoblox.com/blog/threat-intelligence/hold-the-phone-international-revenue-share-fraud-driven-by-fake-captchas/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1777028426", "to_ids": false, "type": "text", "uuid": "87c78f08-0a52-4cea-8c84-1f04947247f8", "value": "Threat actors are leveraging fake CAPTCHA pages to trick victims into sending premium SMS messages as part of an international revenue share fraud (IRSF) scheme. Operating since at least June 2020, this campaign uses traffic distribution systems and social engineering to direct users through multi-stage fake verifications requiring SMS messages to international phone numbers across 17 countries with high termination fees. Each CAPTCHA step triggers messages to over a dozen destinations, generating over 60 SMS messages per victim costing approximately $30. The operation employs back button hijacking, sophisticated tracking cookies, and affiliate advertising networks to maximize reach while obscuring the fraud from detection. Both individual victims and telecommunication carriers suffer financial losses through this deceptive scheme." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1777028426", "to_ids": false, "type": "text", "uuid": "465eafb6-bbdd-4347-b576-6f6231c33016", "value": "Name: Hold the Phone! International Revenue Share Fraud Driven by Fake CAPTCHAs\nAuthor: AlienVault\nAdversary: \nTags: [\"social engineering\", \"irsf\", \"sms fraud\", \"click2sms\", \"fake captcha\", \"tds\"]\nTgtd countries: [\"Austria\", \"Azerbaijan\", \"Belgium\", \"Egypt\", \"France\", \"Italy\", \"Kazakhstan\", \"Malawi\", \"Myanmar\", \"Netherlands\", \"Poland\", \"Spain\", \"Sweden\", \"Switzerland\", \"Ukraine\", \"United Kingdom of Great Britain and Northern Ireland\"]\nMlwr families: []\nAttack_ids: [\"T1583\", \"T1566.002\", \"T1071\", \"T1219\", \"T1583.001\", \"T1036\", \"T1090\", \"T1102\", \"T1583.006\", \"T1204\", \"T1590\", \"T1566\", \"T1585.001\", \"T1027\", \"T1573\", \"T1102.002\", \"T1585\", \"T1134\", \"T1071.001\", \"T1590.001\"]\nIndustries: [\"Telecommunications\"]" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777627634", "to_ids": true, "type": "domain", "uuid": "080f05d9-64a2-4e8e-9227-2073cbe3941d", "value": "claimandwins.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777627655", "to_ids": true, "type": "domain", "uuid": "8def2333-449d-4aca-9df1-9ba5df6e61f9", "value": "verifysuper.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777627676", "to_ids": true, "type": "domain", "uuid": "b473acc7-6749-4291-aad0-02eb85473ddb", "value": "4lifetips.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777627698", "to_ids": true, "type": "domain", "uuid": "b189e273-6ca3-45fc-a229-228865352990", "value": "caxip.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777627719", "to_ids": true, "type": "domain", "uuid": "584df1b3-06ab-46ed-a594-508e5e31bdd8", "value": "mamil.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777627740", "to_ids": true, "type": "domain", "uuid": "99e012e4-1024-42ac-8189-a7966f227bff", "value": "megaplaylive.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777627761", "to_ids": true, "type": "domain", "uuid": "aab2ae04-85b4-4e50-bc44-dbc14fe1eed3", "value": "solpe.top", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777627782", "to_ids": true, "type": "domain", "uuid": "fa523681-7ecd-443b-92f8-398e2e439273", "value": "vassin.top", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777627804", "to_ids": true, "type": "domain", "uuid": "f91f61aa-ed85-4855-9557-5016db1f3735", "value": "zawsterris.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777627825", "to_ids": true, "type": "hostname", "uuid": "30d57b12-679b-45c1-903c-ae650bbb8d23", "value": "chat.matchnewtoday.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777627846", "to_ids": true, "type": "hostname", "uuid": "aa180d25-1749-4641-9ad8-9dd7747d17c2", "value": "d.fufecarrol.top", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777627867", "to_ids": true, "type": "hostname", "uuid": "357bbb11-6675-4cb2-a2b4-3e8a3da34d37", "value": "d.herbosfinx.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777627889", "to_ids": true, "type": "hostname", "uuid": "e63f977d-fc9d-46c9-8f84-6541a9b3f96f", "value": "d.panzozerrot.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777627910", "to_ids": true, "type": "hostname", "uuid": "765babac-1592-40c9-bd6e-c372ecab3b3d", "value": "d.remotesbuffalo.top", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777627931", "to_ids": true, "type": "hostname", "uuid": "726c6137-74b6-43c2-9991-66186361afaa", "value": "d.ruelomamuy.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777627953", "to_ids": true, "type": "hostname", "uuid": "05b70c79-f82c-4917-b01b-b48cd55034a0", "value": "d.santafebuno.top", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777627974", "to_ids": true, "type": "hostname", "uuid": "bc5a02b2-234a-45b1-b2d6-3ba87cba12c5", "value": "d.vistertransit.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777627995", "to_ids": true, "type": "hostname", "uuid": "c06deff5-7898-460e-ad11-704964e4e3db", "value": "d.zerrotmamil.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777628017", "to_ids": true, "type": "hostname", "uuid": "c3f4b23a-9802-43ea-9178-96583e88d956", "value": "hotnow.sweeffg.online", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777628038", "to_ids": true, "type": "hostname", "uuid": "38cfac8b-0f11-42dc-9573-dbb807de5fbe", "value": "r.buffalosolpe.top", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777628060", "to_ids": true, "type": "hostname", "uuid": "e1968438-2dd7-4848-82f4-7b838e72eec2", "value": "r.carrolvassin.top", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777628081", "to_ids": true, "type": "hostname", "uuid": "5da257be-0fdf-4ebf-aa47-fc00b8d7f650", "value": "r.transitcaxip.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777628102", "to_ids": true, "type": "hostname", "uuid": "0af046ed-acff-41bf-a71e-2a865107c362", "value": "vids.chatorizon.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777628123", "to_ids": true, "type": "domain", "uuid": "1283bb22-a39f-4701-a8e8-0c64756aa073", "value": "colnsdital.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777628144", "to_ids": true, "type": "hostname", "uuid": "7f40912e-4d5f-4d70-a8d8-4b1a009833b2", "value": "d.marraheltin.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777628165", "to_ids": true, "type": "url", "uuid": "262a9fff-fab4-4caf-9a38-4db59c0d4db8", "value": "https://verifysuper.com/cl/i/wopmej?aff_sub4=5002320649344849&aff_sub5=US", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ] } }