One tap to continue watching. Also: one tap to charge your phone bill €4.50. Click2SMS, what good are you, anyway?
A redirect chain took us from a compromised legitimate site, through help_tds, then through a familiar Germany-based commercial TDS, to hmtraff[.]com where we finally arrived at d[.]gosmartdecision[.]com — part of an IRSF ecosystem we've been tracking since our fake CAPTCHA report.
The landing page shows a fake video player. A large "Continue" button sits in front of it. That button is <a href="sms:81183?body=360 *CWZQ...">. One tap opens the SMS app, pre-loaded with a message to a premium-rate French shortcode. 4.50 EUR per code.
Where the fake CAPTCHA required four separate actions to maintain a verification illusion, the video player needs one. Simpler, faster, probably more effective. The legal disclosure with the price is below the fold in 10pt text, while the large "Continue" button is in the middle of the screen.
There's a second bonus layer: the page runs device fingerprinting and injects a credit card collection form for non-mobile visitors — cardholder name, number, CVV, expiry. Mobile French users see the Click2SMS flow. Others may get card phishing. Two modes. One domain. DNS-visible delivery chain throughout.
hmtraff[.]com
d[.]gosmartdecision[.]com
Final landing page: https://urlscan.io/result/019f14b2-c99e-7677-a742-61f7c814b545/
Prior report: https://www.infoblox.com/blog/threat-intelligence/hold-the-phone-international-revenue-share-fraud-driven-by-fake-captchas/
#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #smishing #tds #irsf



















