Keitaro TDS Campaigns Exploit Fake CAPTCHAs for IRSF Fraud

Researchers at Infoblox have uncovered a sophisticated telecommunications fraud operation leveraging fake CAPTCHA prompts to facilitate International Revenue Share Fraud (IRSF). This campaign, according to The Hacker News, employs over 120 distinct Keitaro Traffic Distribution System (TDS) instances to funnel victims toward malicious landing pages designed to drain mobile account balances.

Technical Analysis: The Fake CAPTCHA IRSF Scam Mechanism

The operation relies on a multi-stage TTP that manipulates user behavior through social engineering. The attack begins when a user is redirected through a C2 or traffic distribution network to a site hosting a fake CAPTCHA. These sites often mimic legitimate security checks to build a false sense of trust, prompting the user to “verify they are human.”

When the user interacts with the deceptive interface, the site executes a specific sms: URI scheme. This action automatically opens the device’s native messaging application with a pre-filled premium-rate phone number and a specific code in the message body. If the user hits send, they unknowingly participate in IRSF, where the attackers receive a portion of the high-cost international message fee. This form of Phishing is particularly effective because it bypasses traditional email filters by operating entirely within the mobile browser and SMS ecosystem.

How to Detect Keitaro TDS Traffic Distribution

Security teams looking for how to detect Keitaro TDS traffic distribution should focus on identifying anomalous DNS queries and HTTP redirection patterns. Keitaro is frequently used by both legitimate affiliate marketers and threat actors to manage traffic flows based on geography, device type, and browser headers. In this campaign, the TDS acts as a gateway, ensuring only “profitable” victims—those on mobile devices capable of sending SMS—reach the final IRSF landing page. Monitoring for rapid redirects through known Keitaro infrastructure is a primary IoC for this activity.

The Scale of Keitaro-Driven Fraud

The Infoblox report highlights the sheer volume of this threat, noting more than 120 Keitaro campaigns active globally. These campaigns are not limited to IRSF; some have been observed redirecting users to cryptocurrency scams and other fraudulent schemes. The use of a TDS allows the attackers to rotate infrastructure rapidly, making static blocking lists less effective. By dynamically changing domain names and IP addresses, the threat actors maintain a high level of persistence against standard security controls.

IRSF Scam Detection and Prevention

For telecommunications providers and enterprise SOC teams, IRSF scam detection and prevention requires a layered approach. Because the fraud occurs at the intersection of web traffic and cellular billing, defenders must monitor for high-frequency SMS traffic to known high-cost international jurisdictions, particularly those associated with premium-rate number leasing services.

Fake CAPTCHA SMS Fraud Mitigation

To effectively implement fake CAPTCHA SMS fraud mitigation, organizations and security professionals should consider the following technical controls:

• DNS Filtering: Deploy DNS security solutions that can identify and block domains associated with Keitaro TDS infrastructure in real-time.
• User Awareness: Educate employees on the risks of interacting with unusual CAPTCHA prompts, especially those that trigger secondary applications like SMS or phone dialers.
• Device Management: Work with mobile service providers to disable or restrict premium-rate SMS services on corporate-owned devices to prevent unauthorized billing.
• Ad-Blocking: Implement network-wide ad-blocking to reduce the likelihood of users clicking on the malicious advertisements that serve as the initial entry point for the Keitaro redirection chain.

By understanding the underlying infrastructure, such as the Keitaro TDS, defenders can move beyond reactive blocking and begin to disrupt the economic incentives that drive these fraudulent campaigns.