Fake CAPTCHA scams quietly drive rising phone fraud costs for carriers and customers
NCSC announces the password-less future
CISO news
Fake CAPTCHA scams quietly drive rising phone fraud costs for carriers and customers
APTCHAs, a simple test used to prove human identity, are
C increasingly being weaponised to trigger actions with hidden costs. international revenue share fraud( IRSF). The result is unexpected charges for consumers and growing, often hidden, revenue leakage for telecom carriers.
Infoblox Threat Intel has uncovered fake CAPTCHA pages that trick users into sending high volumes of international text messages, fuelling a long-running fraud category called
The research shows that seemingly everyday web interactions can be turned into billable mobile events without users clearly understanding what they are authorising. Each small extra charge looks minor on its own, but at scale this behaviour drives meaningful, recurring losses for carriers.
Dr. Renée Burton, VP of Infoblox Threat Intel
This type of fraud scheme is not new, but the method is underreported. Utilising fake CAPTCHAs in this way is a novel attack type for cybercriminals. In these attacks, a user follows the instructions that look like a regular CAPTCHA but sends international SMS, resulting in charges on the victim’ s phone bill.
“ We’ ve been tracking malicious use of traffic distribution systems for a while now, but tying them directly to a long-running SMS fraud scheme is new,” said Dr. Renée Burton, VP of Infoblox Threat Intel.“ Affiliatestyle infrastructure is being repurposed to industrialise phone fraud, while making it very hard for outsiders to see the full picture.”
This research makes one thing clear: fake CAPTCHA fraud is already exploiting that gap at Internet scale.
NCSC announces the password-less future
CHQ’ s National Cyber Security Centre( NCSC) has announced that passwords should be a thing of the past
G and that passkeys should be adopted en masse to decrease security risks.
A new report from the NCSC found that FIDO2 credentials, including passkeys, are as secure or more secure than traditional MFA for
individuals. This follows last year’ s announcement that the UK government would roll out passkey technology for its digital services as an alternative to the current SMS-based verification system.
Steven Furnell, Senior IEEE Member and Professor of Cybersecurity at the University of Nottingham, said:“ The NCSC’ s recommendation to use passkeys‘ wherever a service supports them’ is good from both security and usability perspectives. Passkeys have been specifically designed to overcome our primary problems with passwords.
“ However, the‘ wherever supported’ aspect is a potential challenge, because many users won’ t be able to follow the guidance uniformly or consistently across the services they use. Many sites and services still don’ t offer passkey support, so users will find themselves with a mixed login experience.
“ Another likely challenge is that many users won’ t know what passkeys are or why they’ re now the thing to be looking for. We’ ve been telling them for years to use better passwords and then to use two-step verification or MFA. And now there’ s something else.
“ It’ s still the correct advice, but no matter how good passkeys are, we need to recognise that this is going to be a long game rather than flipping a switch.”
WWW. INTELLIGENTCISO. COM 9